Summarizing ZDNet's Zero Day Posts for November 
( 2012 - 01-01 20 : 59 ) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for November. You can subscribe to my 

[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]Massive DNS poisoning attack in Brazil serving 
exploits and malware 

02. [4]South Korea to block port 25 as anti-spam 
countermeasure 

03. [5]Researchers spot malware using a stolen 
government certificate 

04. [6]SCADA systems at the Water utilities in 
Illinois, Houston, hacked 

05. [7]New Facebook worm spreading 

06. [8]Popular free antivirus apps for Android fail 
anti-malware tests 
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This post has been reproduced from [9]Dancho 
Danchev's blog. Follow him [10]on Twitter. 

1. http://www.zdnet.com/tooics/dancho+danchev? 
Q-l&mode=rss&ta a -mantle_skin : content 







2. http://feeds.feedburner.com/zdnet/securit v 


3. http://www.zdnet.com/blo a /securitv/massive-dns- 
poisonin a -attack-m-braz i l-servin a -ex ploits-and-mal ware/97 

80 

4. http://www.zdnet.com/blo a /securitv/south-korea-to-block- 
port-25-as-anti-spam-countermeasu re/9789 

5. http://www.zdnet.com/blo a /securitv/researchers-spot- 
malware-usin a -a-stolen- a overnment-certificate/9813 

6. http://www.zdnet.com/blo a /securitv/scada-svstems-at- 
the-water-utilities-in-illinois-houston-hacked/9821 

7. http://www.zdnet.com/blo a /securitv/new-facebook-worm- 
s oreadin a /9825 

8. http://www.zdnet.com/blo a /securit v/po pular-free- 
antivirus-a p ps-for-android-fail-anti-mal ware-tests/9830 

9. http://ddanchev.blo as pot.com/ 

10. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for December 
( 2012 - 01-01 21 : 02 ) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for December. You can subscribe to my 








































[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]New study claims that Chrome is the most 
secure browser 

02. [4]FTC issues refunds to scareware victims 

03. [5]Yahoo! Mail introduces two factor 
authentication 

04. [6]Web malware exploitation kits updated with 
new Java exploit 

05. [7]Cybercriminals exploiting the death of Kim 
Jong-ll 

7 

06. [8]Localized ransomware variants impersonate 
law enforcement agencies 

07. [9]Cybercriminals hijack Facebook accounts 
through bogus browser extensions 

08. [10]Amnesty International UK compromised, 
serving exploits and malware 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1. http://www.zdnet.com/toDics/dancho+danchev? 
o=l&mode=rss&ta a = mantle skin : content 
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4. http://www.zdnet.com/blo a /securitv/ftc-issues-refunds-to- 
scareware-victims/9843 

5. http://www.zdnet.com/blo a /securit v/ vahoo-mail- 
introduces-two-factor-authenticati on/9846 

6. http://www.zdnet.com/blo a /securitv/web-malware- 
exploitation-kits-updated-with-new- i ava-exploit/9849 

7. http://www.zdnet.com/blo a /securit v/c vbercriminals- 
exploitin a -the-death-of-kim- i on a -i 1/9852 

8. http://www.zdnet.com/blo a /securitv/localized- 
ransomware-variants-impersonate-law-enforcement- 
aa encies/9855 

9. http://www.zdnet.com/blo a /securit v/c vbercriminals- 
hii ack-facebook-accounts-throu a h-bo a us-browser-extensio 

ns/9858 

10. http://www.zdnet.com/blo a /securitv/amnest v- 
international-uk-compromised-servin a -exploits-and- 
malware/9861 

11. http://ddanchev.blo as pot.com/ 

12. http://twitter.com/danchodanchev 
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Profiling a Vendor of Visa/Mastercard Plastics and 
Holograms (2012-01-03 20:04) 

What is it that cybercriminals needs once they have 
obtained access to [l]stolen financial data? Next to 
[2]money 















































mules, that's empty plastic cards in which they will later on 
embed the stolen financial data. 

Let's profile a vendor of empty Visa/Mastercard plastic cards 
and holograms in order to gain a better picture 

at just how easy it is to obtain such plastic cards. 

Associated nickname: pizzA 

Associated ICQ: 496 872-531 

Associated email: plastics@safe-mail.net 

Translated vendor's proposition: 

Below you have prices and samples of my products . 

Plastics - Blanks: 

1-50 = 15each 

51-100 = 14 each 

101+ = 13 each 

201+ = 12 each 

Plastics - Embossed 

1 and up = 20each 

101+ = 18each 

201 + = 17each 

Minimum order: 200USD 

Shipping to: USA, International orders(min $800 + shipping) 



Plastics have UV Security print on Front and Back. 
Holograms Stickers and Heatpress: 

VISA - Silver/Gold 

VISA mini - Silver/Gold 

MasterCard - Silver/Gold 

Minimum order on stickers: 500pcs 

Minimum order on Heatpress: 1000pcs 

$0.8 per hologram 

PAYMENT: 

Liberty Reserve (Prefered) 

Western Union (500usd minimum + 8 % WU fee) 

RULES: 

- Any order, question feel free to ask in ICQ. 

- Shipping time 24-48 after the money is picked up. 

- PLEASE USE THIS TOPIC ONLY FOR FEEDBACK, ANY 
QUESTION AND ORDERS in ICQ. 

- If you buy from me it means you agreed my rules. 

Screenshots of his inventory of Visa and Mastercard plastics 
and holograms: 
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This post has been reproduced from [3]Dancho 
Danchev's blog. Follow him [4]on Twitter. 

1. http://ddanchev.blo as DOt.com/2Qll/lQ/exposin a -market- 
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Profiling a Vendor of Visa/Mastercard Plastics and 
Holograms (2012-01-03 20:04) 

What is it that cybercriminals needs once they have 
obtained access to [l]stolen financial data? Next to 
[2]money 

mules, that's empty plastic cards in which they will later on 
embed the stolen financial data. 

Let's profile a vendor of empty Visa/Mastercard plastic cards 
and holograms in order to gain a better picture 

at just how easy it is to obtain such plastic cards. 

Associated nickname: pizzA 
Associated ICQ: 496 872-531 
Associated email: plastics@safe-mail.net 
Translated vendor's proposition: 

Below you have prices and samples of my products . 

Plastics - Blanks: 

1-50 = 15each 
51-100 = 14 each 
101+ = 13 each 
201+ = 12 each 


Plastics - Embossed 



1 and up = 20each 
101+ = 18each 
201 + = 17each 
Minimum order: 200U5D 

Shipping to: USA, International orders(min $800 + shipping) 
Plastics have UV Security print on Front and Back. 
Holograms Stickers and Heatpress: 

VISA - Silver/Gold 

VISA mini - Silver/Gold 

MasterCard - Silver/Gold 

Minimum order on stickers: 500pcs 

Minimum order on Heatpress: 1000pcs 

$0.8 per hologram 

PAYMENT: 

Liberty Reserve (Prefered) 

Western Union (500usd minimum + 8 % WU fee) 

RULES: 

- Any order, question fee! free to ask in ICQ. 

- Shipping time 24-48 after the money is picked up. 



- PLEASE USE THIS TOPIC ONLY FOR FEEDBACK, ANY 
QUESTION AND ORDERS in ICQ. 

- If you buy from me it means you agreed my rules. 

Screenshots of his inventory of Visa and Mastercard plastics 
and holograms: 
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This post has been reproduced from [3]Dancho Danchev's 
blog. Follow him [4Jon Twitter. 
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Who's Behind the Koobface Botnet? - An OSINT 
Analysis (2012-01-09 16:59) 

It's full disclosure time. 

In this post, I will perform an OSINT analysis, exposing one 
of the key botnet masters behind the infamous 

Koobface botnet, that I have been [l]extensively profiling 
and infiltrating since day one. I will include photos of the 
botnet master, his telephone numbers, multiple email 
addresses, license plate for a BMW, and directly connect 
him 

with the infrastructure - now offline or migrated to a 
different place - of Koobface 1.0. 

The analysis is based on a single mistake that the botnet 
master made - namely using his personal email for 

























registering a domain parked within Koobface's command 
and control infrastructure, that at a particular moment in 

time was directly redirecting to the ubiquitous fake Youtube 
page pushed by the Koobface botnet. 

Let's start from the basics. Here's an excerpt from a 

[2] previous research conducted on the Koobface bot¬ 
net: 

However, what the Koobface gang did was to register a new 
domain and use it as Koobface C &C again parked 

at the same IP, which remains active - zaebalinax.com 
Email: krotreal@gmail.com - 78.110.175.15 - in particular 

zaebaiinax.com/the/?pid=14010 which is 

[3] redirecting to the Koobface botnet. Two more 
domains were also 

registered and parked there, ul5jul .com and 
umidsummer .com - Email: 2009poievandrey@maii.ru 

which remain in stand by mode at least for the time being. 

The Koobface botnet master's biggest mistake is using the 
Koobface infrastructure for hosting a domain that was reg¬ 
istered with the botnet master's personal email address. In 
this case that zaebalinax.com and krotreai@gmaii.com. 

zaebalinax.com is literally translated to 11 Gave up on 
Linux". UPDATED: Multiple readers have to contacted me to 
point out that zaebalinax is actually translated to 11 f*ckyou 
all" or 11 you all are passing me off'. 



The same email krotreal@gmail.com was used to 

[4]advertise the sale of Egyptian Sphynx kittens on 

05.09.2007: 47 
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The following telephone belonging to Anton was provided - 
+ 79219910190 . The interesting part is that the same 

telephone was also used in [5]another advertisement, 
this time for the sale of a BMW: 

Photos of the BMW, offered for sale, by the same Anton that 
was using the Koobface infrastructure to host 

zaebalinax.com Email: krotreal@gmail.com: 
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License plane for Anton's newest BMW: 
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Upon further analysis, it becomes evident that his real name 

is Anton Nikolaevich Korotchenko (Ahtoh HnKO/iaeBun 

KopoTneHKo). Here are more details of this online activities: 

Real name: Anton Nikolaevich Korotchenko (Ahtoh 
H i/iKO/iaeBHH KopoTneHKo) 

City of origin: St. Petersburg 

Primary address: Omskaya st. 26-61; St. Petersburg; 
Leningradskaya oblast,197343 

Associated phone numbers obtained through OSINT 
analysis, not whois records: 

+79219910190 

+380505450601 

050-545-06-01 

ICQ -444374 

Emails: krotreal@yahoo.com 

krotreal@gmail.com 

krotreal@mail.ru 

krotreal@livejournal.com 

newfider@rambler.ru 

WM identification (WEB MONEY) : 425099205053 
Twitter account: [6]@KrotReal; [7]@Real _Koobface 



Flickr account: [8]KrotReal 

Vkontakte.ru Account: [9]KrotReal; [10]tonystarx 

Foursquare Account: [ll]KrotReal 

Photos of Koobface botnet's master Anton Nikolaevich 
Korotchenko (Ahtoh HnKO/iaeBi/in KopoTHeHKo): 
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Also, [12]a chat log from 2003, identifies KrotReal while 
he's using the following IP - krotreal@ip- 
534. dialup, cl. spb.ru 

[13] How do you trigger a change that would 
ultimately affect the entire cybercrime ecosystem? 
By person¬ 
alizing cybercrime. 

Go through previous research conducted on the 
Koobface botnet: 

[14] Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 

[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[16] Koobface Gang Responds to the "10 Things You Didn't 
Know About the Koobface Gang Post" 

[17] 10 things you didn't know about the Koobface gang 

[18] How the Koobface Gang Monetizes Mac OS X Traffic 

[19] Koobface Botnet's Scareware Business Model - Part Two 


[20] Koobface Botnet's Scareware Business Model 

[21] From the Koobface Gang with Scareware Serving 
Compromised Site 

[22] Koobface Botnet Starts Serving Client-Side Exploits 

[23] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[24] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[25] Koobface - Come Out, Come Out, Wherever You Are 

[26] Dissecting Koobface Worm's Twitter Campaign 

[27] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[28] Koobface Botnet Dissected in a TrendMicro Report 

[29] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[30] Movement on the Koobface Front - Part Two 

[31] Movement on the Koobface Front 

[32] Dissecting the Koobface Worm's December Campaign 

[33] The Koobface Gang Mixing Social Engineering Vectors 

[34] Dissecting the Latest Koobface Facebook Campaign 
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Who's Behind the Koobface Botnet? - An OSINT 
Analysis (2012-01-09 16:59) 

In this post, I will perform an OSINT analysis, exposing one 
of the key botnet masters behind the infamous Koobface 

botnet, that I have been [ljextensively profiling and 

infiltrating since day one. I will include photos of the 
botnet master, his telephone numbers, multiple email 
addresses, license plate for a BMW, and directly connect 
him with 

the infrastructure - now offline or migrated to a different 
place - of Koobface 1.0. 

The analysis is based on a single mistake that the botnet 
master made - namely using his personal email for 

registering a domain parked within Koobface's command 
and control infrastructure, that at a particular moment in 

time was directly redirecting to the ubiquitous fake Youtube 
page pushed by the Koobface botnet. 

Let's start from the basics. Here's an excerpt from a 

[2] previous research conducted on the Koobface bot¬ 
net: 

However, what the Koobface gang did was to register a new 
domain and use it as Koobface C &C again parked 

at the same IP, which remains active - zaebalinax.com 
Email: krotreal@gmail.com - 78.110.175.15 - in particular 

zaebaiinax.com/the/?pid=14010 which is 

[3] redirecting to the Koobface botnet. Two more 



domains were also 


registered and parked there, ul5jul .com and 
umidsummer .com - Email: 2009polevandrey@mait.ru 

which remain in stand by mode at least for the time being. 

The Koobface botnet master's biggest mistake is using the 
Koobface infrastructure for hosting a domain that was reg¬ 
istered with the botnet master's personal email address. In 
this case that zaebalinax.com and krotreal@gmail.com. 

zaebalinax.com is literally translated to 11 Gave up on 
Linux". UPDATED: Multiple readers have to contacted me to 
point out that zaebalinax is actually translated to " f*ckyou 
all" or 11 you all are passing me off'. 

The same email krotreal@gmail.com was used to 

[4]advertise the sale of Egyptian Sphynx kittens on 

05.09.2007: 85 
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The following telephone belonging to Anton was provided - 
+ 79219910190. The interesting part is that the same 

telephone was also used in [5]another advertisement, 
this time for the sale of a BMW: 

Photos of the BMW, offered for sale, by the same Anton that 
was using the Koobface infrastructure to host 

zaebalinax.com Email: krotreai@gmaii.com: 
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Upon further analysis, it becomes evident that his real name 

is Anton Nikolaevich Korotchenko (Ahtoh HnKO/iaeBun 

KopoTHeHKo). Here are more details of this online activities: 

Real name: Anton Nikolaevich Korotchenko (Ahtoh 
H i/iKO/iaeBi/iH KopoTHeHKo) 

City of origin: St. Petersburg 

Primary address: Omskaya st. 26-61; St. Petersburg; 
Leningradskaya oblast,197343 

Associated phone numbers obtained through OSINT 
analysis, not whois records: 

+79219910190 

+380505450601 

050-545-06-01 

ICQ - 444374 

Emails: krotreal@yahoo.com 
krotreal@gmail.com 


krotreal@mail.ru 

krotreal@livejournal.com 

newfider@rambler.ru 

WM identification (WEB MONEY) : 425099205053 
Twitter account: [6]@KrotReal; [7]@Real _Koobface 

Flickr account: [8]KrotReal 

Vkontakte.ru Account: [9]KrotReal; [lOjtonystarx 

Foursquare Account: [HjKrotReal 

Also, [12]a chat log from 2003, identifies KrotReal while 
he's using the following IP - krotreal@ip- 
534.dialup.cl.spb.ru 

[13] How do you trigger a change that would 
ultimately affect the entire cybercrime ecosystem? 
By person¬ 
alizing cybercrime. 

Go through previous research conducted on the 
Koobface botnet: 

89 

[14] Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 

[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 



[16] Koobface Gang Responds to the "10 Things You Didn't 
Know About the Koobface Gang Post" 

[17] 10 things you didn't know about the Koobface gang 

[18] How the Koobface Gang Monetizes Mac OS X Traffic 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model 

[21] From the Koobface Gang with Scareware Serving 
Compromised Site 

[22] Koobface Botnet Starts Serving Client-Side Exploits 

[23] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[24] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[25] Koobface - Come Out, Come Out, Wherever You Are 

[26] Dissecting Koobface Worm's Twitter Campaign 

[27] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[28] Koobface Botnet Dissected in a TrendMicro Report 

[29] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[30] Movement on the Koobface Front - Part Two 

[31] Movement on the Koobface Front 



[32] Dissecting the Koobface Worm's December Campaign 

[33] The Koobface Gang Mixing Social Engineering Vectors 

[34] Dissecting the Latest Koobface Facebook Campaign 
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5. http://www.kupia.ru/board/bmw/3_seriva/7861 

6. http://twitter.com/krotreal 

7. http://twitter.com/Real_Koobface 

8. http://www.flickr.com/photos/krotreal/ 

9. http://vkontakte.ru/krotreal 

10. http://vkontakte.ru/tonvstarx 
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13. http://ddanchev.blo as pot.com/2QQ9/Ql/saueezin a- 
c vbecrime-ecosvstem-in-2QQ9.html 

14. http://ddanchev.blo as pot.com/2QlQ/Q3/koobface- 
redirectors-and-scareware.html 
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17. http://www.zdnet.com/blo a /securitv/lQ-thin as- vou- 
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24. http://ddanchev.blo as pot.com/2QlQ/Q4/dissectin a- 
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27. http://ddanchev.blo as pot.com/2QQ9/lQ/koobface- 
botnet-redirects-facebooks-ip.html 

28. http://ddanchev.blo as pot.com/2QQ9/lQ/koobface- 
botnet-dissected-in-trendmicro.html 


29. http://ddanchev.blo as pot.com/2QQ9/ll/massive- 
scareware-servin a -blackhat-seo.html 
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Summarizing ZDNet's Zero Day Posts for January 
(2012-02-02 00:59) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for January, 2012. You can subscribe to 
my 

[ljpersonal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]'Most beautiful' scams proliferate on Facebook 

02. [4]Android users hit by scareware scam 

03. [5]'Remove Facebook Timeline' themed scam circulating 
on Facebook 

04. [6]Fake Kimjong-il video distributing malware 

05. [7]Researchers spot pharmaceutical spam campaign 
using QR Codes 

06. [8]Report: Confickerand AutoRun infections 
proliferating 

07. [9]Researchers spot scammers using fake browser plug¬ 
ins 
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08. [10]New variants of premium rate SMS trojan 'RuFraud' 
detected in the wild 

09. [lljResearch: Spammers actively harvesting emails 
from Twitter in real-time 

10. [12]DreamHost hacked, mass password-reset issued 

This post has been reproduced from [13]Dancho 
Danchev's blog. Follow him [14]on Twitter. 

1. http://www.zdnet.com/topics/dancho-i-danchev? 
o=l&mode=rss&ta a = mantle skin : content 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securitv/most-beautiful- 
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6. http://www.zdnet.com/blo a /securitv/fake-kim- i on a-il- 
v ideo-distributin a -malware/9992 

7. http://www.zdnet.com/blo a /securitv/researchers-spot- 
pharmaceutical-spam-campai a n-usin a-a r-codes/10023 

8. http://www.zdnet.com/blo a /securitv/report-conficker-and- 
autQrun-infectiQns-proliferatin a /10030 

9. http://www.zdnet.com/blo a /securitv/researchers-spot- 
scammers-usin a -fake-browser-plu a -ins/1016Q 
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http://www.zdnet.com/blo a /securitv/new-variants-of- 

Dremium-rate-sms-tro i an-rufraud-detected-in-the-wild 

/1Q165 

11. http://www.zdnet.com/blo a /securitv/research-spammers- 
activelv-harvestin a -emails-from-twitter-in-real-time 

/1Q17Q 

12. http://www.zdnet.com/blo a /securitv/dreamhost-hacked- 
mass-password-reset-issued/10175 

13. http://ddanchev.blo as pot.com/ 

14. http://twitter.com/danchodanchev 
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Summarizing Webroot's Threat Blog Posts for 
January (2012-02-02 01:07) 

The following is a brief summary of all of my posts at 
[ljWebroot's Threat Blog forjanuary, 2012. You can 
subscribe 

to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]MiIIions of harvested emails offered for sale 

02. [4]Email hacking for hire going mainstream 

03. [5]Mass SQL injection attack affects over 200,000 URLs 
























04. [6]A peek inside the PickPocket Botnet 
95 

05. [7]A peek inside the Cythosia v2 DDoS Bot 

06. [8]Google announces new anti-malware features in 
Chrome 

07. [9]Adobe issues a patch for critical security holes in 
Reader and Acrobat 

08. [10]lnside a clickjacking/likejacking scam distribution 
platform for Facebook 

09.[11] Zappos.com hacked, 24 million users affected 

10. [12]lnside AnonJDB - a Java based malware distribution 
platforms for drive-by downloads 

11. [13]How malware authors evade antivirus detection 

12. [14]A peek inside the Umbra malware loader 

13. [15]How phishers launch phishing attacks 

14. [16]Researchers intercept a client-side exploits serving 
malware campaign 

15. [17]A peek inside the uBot malware bot 

16. [18]Cisco releases 'Cisco Global Threat Report' for 4Q11 

17. [19]Cybercriminals generate malicious Java applets 
using DIY tools 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21]on Twitter. 



1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://blo a .webroot.com/2Q12/Ql/Q3/millions-of- 
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8. http://blo a .webroot.com/2Q12/Ql/Q9/ a oo a le-announces- 
new-anti-malware-features-in-chrome/ 

9. http://blo a .webroot.com/2Q12/Ql/ll/adobe-issues-a- 
patch-for-critical-securitv-holes-in-reader-and-acrobat 
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10. http://blo a .webroot.com/2Q12/Ql/13/inside-a- 
click i ackin a like i ackin a -scam-distribution-platform-for-facebo 

ok/ 

11. http://blo a .webroot.com/2Q12/Ql/16/za p pos-com- 
hacked-24-million-users-affected/ 

12. http://blo a .webroot.com/2012/Ql/17/inside-anon i db-a- 
j ava-based-mal ware-distribution-platforms-for-drive-b 





















































v-down loads/ 


13. http://blo a .webroot.com/2Q12/01/18/how-malware- 
authors-evade-anti virus-detection/ 

14. http://blo a .webroot.com/2012/01/2Q/a-peek-inside-the- 
umbra-mal ware-loader/ 

15. http://blo a .webroot.com/2Q12/01/23/how-phishers- 
launch-phishin a -attacks/ 

16. http://blo a .webroot.com/2Q12/01/25/researchers- 
intercept-a-client-side-exploits-servin a -mal ware-campai an/ 

17. http://blo a .webroot.com/2012/01/26/a-peek inside-the- 
ubot-malware-bot/ 

18. http://blo a .webroot.com/2Q12/01/29/cisco-releases- 
cisco- a lobal-threat-report-for-4all/ 

19. http://blo a .webroot.com/2012/01/30/cvbercriminals- 
a enerate-malicious- i ava-a p plets-usin a -div-tools/ 

20. http://ddanchev.blo as pot.com/ 

21. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for February 
(2012-03-07 23:04) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for February, 2012. You can subscribe to 
my 

[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]Spamvertised Tax information needed urgently' 
emails lead to malware 

02. [4]Researchers spot a fake version of Temple Run on 
Android's Market 

03. [5]Which are the most commonly observed Web exploits 
in the wild? 
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04. [6]Cryptome.org hacked, serving client-side exploits 

05. [7]Report: third party programs rather than Microsoft 
programs responsible for most vulnerabilities 

06. [8]Anonymous launches 'Operation Global Blackout', 
aims to DDoS the Root Internet servers 

07. [9]Report: malware pushed by affiliate networks remains 
the primary growth factor of the cybercrime ecosystem 

08.[10]Cutwail botnet resurrects, launches massive malware 
campaigns using HTML attachments 

09. [ll]New Mac OS X trojan spotted in the wild 



10. [12]Spamvertised 'Scan from a HP OfficeJet' emails lead 
to exploits and malware 

11. [13JXSS Flaw discovered in Skype's Shop, user accounts 
targeted 

This post has been reproduced from [14]Dancho 
Danchev's blog. Follow him [15]on Twitter. 

1. http://www.zdnet.com/tooics/dancho+danchev? 
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3. http://www.zdnet.com/blo a /securit v/s pamvertised-tax- 
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6. http://www.zdnet.com/blo a /securitv/cr v ptomeor a -hacked- 
servin a -client-side-exploits/10319 

7. http://www.zdnet.com/blo a /securitv/report-third-part v- 
pro a rams-rather-than-microsoff-pro a rams-responsible 

-for-most-vulnerabilities/10383 

8. http://www.zdnet.com/blo a /securitv/anonvmous- 
launches-operation- a lobal-blackout-aims-to-ddos-the-root- 
int 

ernet-servers/10387 
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pushed-bv-affiliate-networks-remains-the-primar v-g rowth 

-factor-of-the-cvbercrime-ecosvstem/10392 

10. http://www.zdnet.com/blo a /securitv/cutwail-botnet- 
resurrects-iaunches-massive-mal ware-cam oaia ns-usin a -htm 

l-attachments/10398 

11. http://www.zdnet.com/blo a /securitv/new-mac-os-x- 
tro i an-spotted-in-the-wild/10411 

12 . 

http://www.zdnet.com/blo a /securit v/s pamvertised-scan- 

from-a-hp-office i et-emails-lead-to-exploits-and-ma 

lware/10414 

13. http://www.zdnet.com/blo a /securitv/xss-f1aw-discovered- 
in-sk v pes-shop-user-accounts-tar a eted/10418 

14. http://ddanchev.blo as pot.com/ 

15. http://twitter.com/danchodanchev 
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Summarizing Webroot's Threat Blog Posts for 
February (2012-03-07 23:18) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for February, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 











































or follow me on Twitter: 


01. [3]Research: Google's reCAPTCHA underfire 

02. [4]Spamvertised 'You have 1 lost message on Facebook' 
campaign leads to pharmaceutical scams 
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03. [5]A peek inside the Smoke Malware Loader 

04. [6]Researchers spot Citadel, a ZeuS crimeware variant 

05. [7]Researchers intercept two client-side exploits serving 
malware campaigns 

06. [8]Pharmaceutical scammers launch their own Web 
contest 

07. [9]The United Nations hacked, Team Poison claims 
responsibility 

08. [10]Report: Internet Explorer 9 leads in socially- 
engineered malware protection 

09. [ll]Twitter adds HTTPS support by default 

10. [12]Spamvertised "Hallmark ecard" campaign leads to 
malware 

11. [13]Report: 3,325 % increase in malware targeting the 
Android OS 

12. [14]Why relying on antivirus signatures is simply not 
enough anymore 

13. [15]Researchers intercept malvertising campaign using 
Yahoo's ad network 



14. [16]A peek inside the Ann Malware Loader 

15. [17]Spamvertised Termination of your CPA license' 
campaign serving client-side exploits 

16. [18]How cybercriminals monetize malware-infected 
hosts 

17. [19]A peek inside the Elite Malware Loader 

18. [20]BlackHole exploit kits gets updated with new 
features 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22Jon Twitter. 
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7. http://blo a .webroot.com/2Q12/02/Q8/researchers- 
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8. http://blo a .webroot.com/2Q12/Q2/lQ/pharmaceutical- 
scammers-launch-their-own-web-contest/ 

101 

9. http://blo a .webroot.com/2012/Q2/10/the-united-nations- 
hacked-team-poison-claims-responsibilit v/ 

10. http://blo a .webroot.com/2012/Q2/14/report-internet- 
explorer-9-leads- i n-socia11 v-en a ineered-mal ware-protec 

tion/ 

11. http://blo a .webroot.com/2012/Q2/15/twitter-adds-httPS- 
sup port-bv-default/ 

12. http://blo a .webroot.com/2Q12/Q2/17/spamvertised- 
hallmark-ecard-campai a n-leads-to-malware/ 

13. http://blo a .webroot.com/2Q12/Q2/17/report-3325- 
i n crease- i n-ma I ware-tar a etin a -the-android-os/ 

14. http://blo a .webroot.com/2Q12/Q2/23/whv-rel vina -on- 
antivirus-si a natures-is-sim pl v-not-enou a h-anvmore/ 

15. http://blo a .webroot.com/2012/Q2/25/researchers- 
intercept-malvertisin a -campai a n-usin a- vahoos-ad-network/ 

16. http://blo a .webroot.com/2Q12/Q2/25/a-peeknnside-the- 
ann-mal ware-loader/ 

17. http://blo a .webroot.com/2Q12/Q2/25/spamvertised- 
terniination-of-vour-cpa-license-campai a n-servin a -client-s 

ide-exploits/ 

18. http://blo a .webroot.com/2Q12/Q2/27/how- 
c vbercri mi nals-monetize-mal ware-infected-hosts/ 



































































19. http://blo a .webroot.com/2012/02/29/a-oeek-inside-the- 
elite-mal ware-loader/ 

20. http://blo a .webroot.com/2012/02/29/blackhole-exoloit- 
kits- a ets-uodated-with-new-features/ 

21. http://ddanchev.blo as oot.com/ 

22. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for March 
(2012-04-09 19:50) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for March, 2012. You can subscribe to my 

[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]New Mac OS X malware variant spotted in the wild 

02. [4]Researchers intercept targeted malware attack 
against Tibetan organizations 

03. [5]Skype vouchers themed site serving client-side 
exploits and malware 















04. [6]Stratfor subscribers targeted by passwords-stealing 
malicious emails 

05. [7]Spoofed Linkedln emails serving client-side exploits 

06. [8]Fake YouTube sites target Syrian activists with 
malware 

07. [9]New Mac OS X malware variant spotted in the wild 

08. [10]Spamvertised 'DHLTracking Notification' emails 
serve malware 

09. [ll]Compromised WordPress sites serving client-side 
exploits and malware 

10. [12]'Pixmania.com payment order detail' themed emails 
serving SpyEye crimeware 
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11. [13]Fake 'Roar of the Pharaoh' Android game spreads 
premium-rate SMS trojan 

12. [14]Research: Many mobile password managers offer 
false feeling of security 

13. [15]Targeted Pro-Tibetan malware attacks hit Mac OS X 
users 

14. [16]Opera for Mac OS X patches 6 security holes 

15. [17]Cybercriminals use Twitter, Linkedln, Baidu, MSDN 
as command and control infrastructure 

16. [18]Facebook phishing attack targets Syrian activists 



This post has been reproduced from [19]Dancho 
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11. http://www.zdnet.com/blo a /securitv/compromised- 
word press-si tes-servin a -client-side-exploits-and-mal ware/1 
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12. http://www.zdnet.com/blo a /securit v/ pixmaniacom- 
pa vment-order-detail-themed-emails-servin a-spveve- 
crimewar 

e/11172 

13. http://www.zdnet.com/blo a /securitv/fake-roar-of-the- 
pharaoh-android- a ame-spreads-premium-rate-sms-tro i an/ 
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14. http://www.zdnet.com/blo a /securitv/research-man v- 
mobile-password-mana a ers-offer-false-feelin a -of-securit v 

/11181 

15. http://www.zdnet.com/blo a /securitv/tar a eted-pro- 
tibetan-malware-attacks-hit-mac-os-x-users/11187 

16. http://www.zdnet.com/blo a /securit v/o pera-for-mac-os-x- 
patches-6-securitv-holes/11201 

17. http://www.zdnet.com/blo a /securit v/c vbercriminals-use- 
twitter-l inked in-ba id u-msdn-as-command-and-control- 
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18. http://www.zdnet.com/blo a /securitv/facebook-phishin a- 
attack-tar a ets-svrian-activists/11217 

19. http://ddanchev.blo as pot.com/ 
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Summarizing Webroot's Threat Blog Posts for March 
(2012-04-09 20:03) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for March, 2012. You can 
subscribe 

to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]New service converts malware-infected hosts into 
anonymization proxies 

02. [4]Spamvertised Temporary Limit Access To Your 
Account' emails lead to Citi phishing emails 

03. [5]A peek inside the Darkness (Optima) DDoS Bot 

04. [6]Research: proper screening could have prevented 67 
% of abusive domain registrations 

05. [7]Spamvertised 'Your accountant license can be 
revoked' emails lead to client-side exploits and malware 

06. [8]Spamvertised 'Google Pharmacy' themed emails lead 
to pharmaceutical scams 

07. [9]Research: U.S accounts for 72 % of fraudulent 
pharmaceutical orders 

08. [10]Millions of harvested U.S government and U.S 
military email addresses offered for sale 


09. [ll]Spamvertised 'Your tax return appeal is declined' 
emails serving client-side exploits and malware 
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10. [12]Malicious USPS-themed emails circulating in the 
wild 

11. [13]Spamvertised Linkedln notifications serving client- 
side exploits and malware 

12. [14]Tens of thousands of web sites affected in ongoing 
mass SQL injection attack 

13. [15]Spamvertised Verizon-themed 'Your Bill Is Now 
Available' emails lead to ZeuS crimeware 

14. [16]Spamvertised 'Scan from a Hewlett-Packard ScanJet' 
emails lead to client-side exploits and malware 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 
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Summarizing ZDNet's Zero Day Posts for April 
( 2012 - 05-08 19 : 20 ) 

The following is a brief summary of all of my posts at 
[l]ZDNet's Zero Day for April, 2012. You can subscribe to 
my 

























[2]personal RSS feed , [3]Zero Day's main feed , or 

follow me on Twitter: 

01. [4]Researcher: 50 percent of Mac OS X users still 
running outdated Java versions 

02. [5]Malicious version of Angry Birds Space spotted in the 
wild 

03. [6]French gaming site serving ZeuS crimeware for over 8 
weeks 

04. [7]New ransomware variants spotted in the wild 

05. [8]Nuclear Pack exploit kit introduces anti-honeyclient 
crawling feature 

This post has been reproduced from [9]Dancho 
Danchev's blog. Follow him [10]on Twitter. 
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5. http://www.zdnet.com/blo a /securitv/malicious-version-of- 
anar v-birds-space-spotted-in-the-wild/11520 
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Summarizing Webroot's Threat Blog Posts for April 
( 2012 - 05-08 19 : 31 ) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for April, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Adobe patches critical security flaws, introduces 
auto-updating mechanism 

02. [4]Email hacking for hire going mainstream - part two 

03. [5]Spamvertised 'US Airways' themed emails serving 
client-side exploits and malware 


























04. [6]New underground service offers access to hundreds 
of hacked PCs 

05. [7]Google's Chrome patches 12 'high risk' security 
vulnerabilities 

06. [8]Adobe plans to issue Acrobat Reader 'security update' 
next week 

07. [9]Microsoft issues 6 security bulletins on 'Patch 
Tuesday' 
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08. [10]Adobe patches critical Reader and Acrobat security 
vulnerabilities 

09. [ll]Hewlett-Packard shipping malware-infected compact 
flash cards 

10. [12]New DIY email harvester released in the wild 

11. [13]Upcoming Webroot briefing at InfoSec, 2012, 

London - "Current and Emerging Trends Within the 
Cybercrime 

Ecosystem" 

This post has been reproduced from [14]Dancho 
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harvester-released-in-the-wild/ 
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Dissecting the Ongoing Client-Side Exploits Serving 
Lizamoon Mass SQL Injection Attacks (2012-05-08 
21:36) 

The [ljLizamoon mass [2]SQL injection attacks gang is 
continuing to efficiently [3]inject malicious code on 
hundreds of thousands of legitimate sites, for the purpose of 
serving [4]fake security software - also known as 
scareware - 

and client-side exploits. 

The latest round of the campaign is serving client-side 
exploits through multiple redirections taking place once 

the end user loads the malicious script embedded on 
legitimate sites. In comparison, in the past the gang used to 

monetize the hijacked traffic by serving scareware and 
bogus Adobe Flash Players. 

What are some of the currently SQL injected malicious 
domains? How does the redirection take place? Did 

they take into consideration basic QA (quality assurance) 
tactics into place? Let's find out. 

Currrently injected malicious domains are parked at 
31.210.100.242 (AS42926, RADORE Hosting), with the 
following 

domains currently responding to that IP: 



skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com 

njukol.com/r.php - Email: jamesnorthone@hotmailbox.com 

hnjhkm.com/r.php - Email: 
jamesnorthone@hotmailbox.com 

nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com 

hgbyju.com/r.php - Email: 
jamesnorthone@hotmailbox.com 

uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com 

werlontally.net/r.php - Email: 
jamesnorthone@hotmailbox.com 

[5]March's round of malicious domains was hosted at 
91.226.78.148 (AS56697, LISIK-AS 000 "Byuro Remon- 

tov "FAST"). 

The redirection takes us to these two domains: 
www3.topcumaster.com - 75.102.21.120 (AS23352, 
SERVERCENTRAL) 

Parked at 75 . 102 . 21.120 are also the following domains: 

www3.personal-scanera.com - Email: 
benji.rubes@yahoo.com 

www3.personalvoguard.com - Email: 
benji.rubes@yahoo.com 

www3.hard-zdsentinel.com - Email: 
benji.rubes@yahoo.com 



www3.bestbxcleaner.com - Email: 
benji.ru bes@yahoo.com 
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www3.topcumaster.com - Email: benji.rubes@yahoo.com 

www3.safe-defensefu.com - Email: 
benji.rubes@yahoo.com 

and wwwl.safe-wnmaster.it.cx - 217.23.8.123 
(AS49981, WorldStream) 

Parked on 217.23.8.123 are also the following client-side 
exploits serving domains part of the Lizamoon mass 

SQL injection attacks: 

wwwl.thebestscannerdc.it.cx/i.html 

wwwl.safebh-defense.it.cx/i.html 

wwwl.strongdkdefense.it.cx/i.html 

www2.best-czsuite.it.cx/i.html 

wwwl.smartmasterf.it.cx/i.html 

wwwl.simplescanerei.it.cx/i.html 

wwwl. bestic-network. it. cx/i. htm I 

wwwl.topqonetwork.it.cx/i.html 

www2. topasnetwork.it. cx/i. html 

wwwl. powerynetwork. it. cx/i. htm I 



wwwl.simplemasterzk.it.cx/i.html 
wwwl.powerneholder.it.cx/i.html 
wwwl.personalkochecker.it.cx/i.html 
wwwl.smarthdschecker.it.cx/i.html 
wwwl.safebacleaner.it.cx/i.html 
wwwl.strongzkcleaner.it.cx/i.html 
wwwl.topumc leaner, it. cx/i.html 
wwwl.topgdscanner.it.cx/i.html 
wwwl. smartwoscanner.it. cx/i.html 
wwwl.safe-wnmaster.it. cx/i.html 
wwwl. powervmaster. it.cx/i. html 
wwwl. top-armyvs. it. cx/i.html 
www2.saveocsoft.it. cx/i.html 
wwwl.top-zjsoft. it.cx/i. html 
wwwl. powerdefensekt.it. cx/i.html 
wwwl. best-sca nersw. it. cx/i .html 
wwwl. powermb-security. it.cx/i. html 
wwwl.strongxd-security. it.cx/i. html 
wwwl. strongbtsecurity.it. cx/i. html 



Client side exploits, [6]CVE-2010-0188 and [7]CVE-2012- 
0507 in particular are served through the i.html file 
located on these hosts. In order for the client-side 
exploitation process to take place, the redirection chain 
must be 

correct, if not the server will return a "404 Error Message" 
when requesting a specific file part of the campaign. There 
are no HTTP referrer checks in place, at least for the time 
being. What's particularly interesting about the current 

campaign, is that during a period of time, it will on 
purposely serve a "404 Error Message" no matter what 
happens. 

Updates will be posted, as soon as new developments 
emerge. 

Related posts: 

• [8]SQL Injection Through Search Engines Reconnaissance 

• [9]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 
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• [10]Massive SQL Injection Attacks - the Chinese Way 

• [lljCybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [12]GoDaddy's Mass WordPress Blogs Compromise Serving 
Sea reware 

• [13]Dissecting the WordPress Blogs Compromise at 
Network Solutions 



• [14]Yet Another Massive SQL Injection Spotted in the Wild 

• [15]Smells Like a Copycat SQL Injection In the Wild 

• [16]Fast-Fluxing SQL Injection Attacks 

• [17]Obfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [18]Dancho 
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massive-sal-in i ection.html 
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Dissecting the Ongoing Client-Side Exploits Serving 
Lizamoon Mass SQL Injection Attacks (2012-05-08 
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The [l]Lizamoon mass [2]SQL injection attacks gang is 
continuing to efficiently [3]inject malicious code on 
hundreds of thousands of legitimate sites, for the purpose of 
serving [4]fake security software - also known as 
scareware - 

and client-side exploits. 

The latest round of the campaign is serving client-side 
exploits through multiple redirections taking place once 

the end user loads the malicious script embedded on 
legitimate sites. In comparison, in the past the gang used to 

monetize the hijacked traffic by serving scareware and 
bogus Adobe Flash Players. 

What are some of the currently SQL injected malicious 
domains? How does the redirection take place? Did 

they take into consideration basic QA (quality assurance) 
tactics into place? Let's find out. 

Currrently injected malicious domains are parked at 
31 . 210 . 100.242 (AS42926, RADORE Hosting), with the 
following 

domains currently responding to that IP: 

skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com 

njukol.com/r.php - Email: jamesnorthone@hotmailbox.com 

hnjhkm.com/r.php - Email: 
jamesnorthone@hotmailbox.com 


nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com 



hgbyju.com/r.php - Email: 
jamesnorthone@hotmailbox.com 

uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com 

werlontally.net/r.php - Email: 
jamesnorthone@hotmailbox.com 

[5]March's round of malicious domains was hosted at 
91.226.78.148 (AS56697, LISIK-AS 000 "Byuro Remon- 

tov "FAST"). 

The redirection takes us to these two domains: 
www3.topcumaster.com - 75.102.21.120 (AS23352, 
SERVERCENTRAL) 

Parked at 75 . 102 . 21.120 are also the following domains: 

www3.personal-scanera.com - Email: 
benji.rubes@yahoo.com 

www3.personalvoguard.com - Email: 
benji.rubes@yahoo.com 

www3.hard-zdsentinel.com - Email: 
benji.rubes@yahoo.com 

www3.bestbxcleaner.com - Email: 
benji.rubes@yahoo.com 
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www3.topcumaster.com - Email: benji.rubes@yahoo.com 



www3.safe-defensefu.com - Email: 
benji.ru bes@yahoo.com 

and wwwl.safe-wnmaster.it.cx - 217.23.8.123 
(AS49981, WorldStream) 

Parked on 217.23.8.123 are also the following client-side 
exploits serving domains part of the Lizamoon mass 

SQL injection attacks: 

wwwl.thebestscannerdc.it.cx/i.html 

wwwl.safebh-defense.it.cx/i.html 

wwwl.strongdkdefense.it.cx/i.html 

www2.best-czsuite.it.cx/i.html 

wwwl.smartmasterf.it.cx/i.html 

wwwl.simplescanerei.it.cx/i.html 

wwwl.bestic-network.it.cx/i.html 

wwwl.topqonetwork.it.cx/i.html 

www2.topasnetwork.it.cx/i.html 

wwwl. powerynetwork. it.cx/i. html 

wwwl.simplemasterzk.it.cx/i.html 

wwwl. powerneholder. it.cx/i. html 

wwwl. personalkochecker. it.cx/i. html 

wwwl. smarthdschecker. it.cx/i. html 



wwwl.safebacleaner.it.cx/i.html 

wwwl.strongzkcleaner.it.cx/i.html 

wwwl. topumc leaner, it. cx/i.html 

wwwl.topgdscanner.it.cx/i.html 

wwwl. smartwoscanner.it. cx/i.html 

wwwl. safe-wnmaster.it. cx/i.html 

wwwl. powervmaster. it.cx/i. html 

wwwl. top-armyvs. it. cx/i.html 

www2.saveocsoft.it. cx/i.html 

wwwl.top-zjsoft. it.cx/i. html 

wwwl. powerdefensekt. it.cx/i. html 

wwwl. best-sca ners w. it. cx/i. ht m I 

wwwl. powermb-security. it.cx/i. html 

wwwl.strongxd-security. it.cx/i. html 

wwwl. strongbtsecurity.it. cx/i. html 

Client side exploits, [6]CVE-2010-0188 and [7]CVE-2012- 
0507 in particular are served through the i.html file 
located on these hosts. In order for the client-side 
exploitation process to take place, the redirection chain 
must be 

correct, if not the server will return a "404 Error Message" 
when requesting a specific file part of the campaign. There 



are no HTTP referrer checks in place, at least for the time 
being. What's particularly interesting about the current 

campaign, is that during a period of time, it will on 
purposely serve a "404 Error Message" no matter what 
happens. 

Updates will be posted, as soon as new developments 
emerge. 

Related posts: 

[8] SQL Injection Through Search Engines Reconnaissance 

[9] Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

[10] Massive SQL Injection Attacks - the Chinese Way 

[lljCybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 
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[12] GoDaddy's Mass WordPress Blogs Compromise Serving 
Sea reware 

[13] Dissecting the WordPress Blogs Compromise at Network 
Solutions 

[14] Yet Another Massive SQL Injection Spotted in the Wild 

[15] Smells Like a Copycat SQL Injection In the Wild 

[16] Fast-Fluxing SQL Injection Attacks 

[17] Obfuscating Fast-fluxed SQL Injected Domains 
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Summarizing ZDNet's Zero Day Posts for May (2012- 
06-06 18:15) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for May, 2012. You can subscribe to 
my 

[2] personal RSS feed , [3]Zero Day's main feed , or 

follow me on Twitter: 


































01. [4]ls Mozilla's Firefox 'click-to-play' feature a sound 
response to drive-by malware attacks? 

02. [5]Rogue Firefox extension hijacks browser sessions 

03. [6]Spamvertised 'PayPal payment notifications' lead to 
client-side exploits and malware 

04. [7]Israeli Institute for National Security Studies 
compromised, serving Poison Ivy DIY malware 

05. [8]Researchers spot new Web malware exploitation kit 

06. [9]2012 Olympics themed malware circulating in the 
wild 

07. [10]New ransomware impersonates the U.S Department 
of Justice 

08. [llJLocalized ransomware variants circulating in the 
wild 

09. [12]Cybercriminals offer bogus fraud insurance services 
120 

10. [13]Researchers spot fake mobile antivirus scanners on 
Google Play 

11. [14]The cyber security implications of Iran's 
government-backed antivirus software 

12. [15]Q &A of the week: 'The current state of the cyber 
warfare threat' featuring Jeffrey Carr 

13. [16]Researchers intercept Tatanga malware bypassing 
SMS based transaction authorization 



14. [17]New SpyEye plugin takes control of crimeware 
victims' webcam and microphone 

15. [18]Comcast phishing site contains valid TRUSTe seal 

16. [19]Q &A of the Week: The current state of the 
cybercrime ecosystem' featuring Mikko Hypponen 
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Summarizing Webroot's Threat Blog Posts for May 
(2012-06-06 18:31) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for May, 2012. You can 
subscribe to 

my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]London's InfoSec 2012 Event - recap 

02. [4]Managed SMS spamming services going mainstream 

03. [5]A peek inside a boutique cybercrime-friendly E-shop 

04. [6]Cybercriminals release 'Sweet Orange' - new web 
malware exploitation kit 


















05. [7]Spamvertised 'Pizzeria Order Details' themed 
campaign serving client-side exploits and malware 

06. [8]Poison Ivy trojan spreading across Skype 

07. [9]A peek inside a managed spam service 
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08. [lOJOngoing 'Linkedln Invitation' themed campaign 
serving client-side exploits and malware 

09. [lljSpamvertised bogus online casino themed emails 
serving adware 

10. [12]Spamvertised 'YouTube Video Approved' and 'Twitter 
Support" themed emails lead to pharmaceutical scams 

11. [13]A peek inside a boutique cybercrime-friendly E-shop 
- part two 

12. [14]Spamvertised CareerBuilder themed emails serving 
client-side exploits and malware 

13. [15]Pop-ups at popular torrent trackers serving 
W32/Casonline adware 

14. [16]'Windstream bill' themed emails serving client-side 
exploits and malware 
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Summarizing ZDNet's Zero Day Blog Posts for June 
(2012-07-10 19:02) 

The following is a brief summary of all of my posts at 
[lJZDNet's Zero Day for June, 2012. You can subscribe to 

[2]Zero Day's main feed , or follow me on Twitter: 






























01. [3]Fake Gmail Android application steals personal data 

02. [4]Facebook begins notifying DNSChanger victims 

03. [5]French E-voting portal requires insecure Java plugin 

04. [6]Credit card fraudsters sentenced in the U.K 

05. [7]North Korea ships malware-infected games to South 
Korean users, uses them to launch DDoS attacks 

06. [8]Q &A of the Week - Tales from the Underground' 
featuring Brian Krebs 

07. [9]24 cybercriminals arrested in 'Operation Card Shop' 

08. [ 10]Silent security updates coming to Apple's OS X 
Mountain Lion 
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09. [HJBIackHole exploit kit experimenting with 'pseudo¬ 
random domains' feature 

10. [12]Which is the most popular antivirus software? 

11. [13]Winamp 5.63 fixes four critical security 
vulnerabilities 

12. [14]Chrome 20 fixes 20 security vulnerabilities 
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Summarizing Webroot's Threat Blog Posts for June 
(2012-07-10 19:16) 

The following is a brief summary of all of my posts at 
[ljWebroot's Threat Blog forjune, 2012. You can 
subscribe to 

my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Cybercriminals infiltrate the music industry by 
offering full newly released albums for just $1 

02. [4]A peek inside a boutique cybercrime-friendly E-shop 
part three 

03. [5]DDoS for hire services offering to 'take down your 
competitor's web sites' going mainstream 

04. [6]Skype propagating Trojan targets Syrian activists 

05. [7]Spamvertised 'UPS Delivery Notification' emails 
serving client-side exploits and malware 







06. [8]Mozilla patches critical security vulnerabilities in 
Firefox and Thunderbird 

07. [9]Spamvertised 'DHL Package delivery report' emails 
serving malware 
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08. [10]Spamvertised 'YourAmazon.com order confirmation' 
emails serving client-side exploits and malware 

09. [ll]Cybercriminals populate Scribd with bogus adult 
content, spread malware using Comodo Backup 

10. [12]Oracle and Apple patch critical Java security 
vulnerabilities 

11. [13]Spamvertised 'YourPaypal Ebay.com payment' 
emails serving client-side exploits and malware 

12. [14]'Create a Cartoon of You" ads serving MyWebSearch 
toolbar 

13. [15]Spamvertised 'Your UPS delivery tracking' emails 
serving client-side exploits and malware 

14. [16]Spamvertised 'Confirm PayPal account" notifications 
lead to phishing sites 

15. [17]Spamvertised 'DHL Express Parcel Tracking 
Notification' emails serving malware 

16. [18]Spamvertised bogus online casino themed emails 
serving W32/Casonline 
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Summarizing ZDNet's Zero Day Blog Posts for July 
(2012-08-23 18:16) 

The following is a brief summary of all of my posts at 
[lJZDNet's Zero Day for July, 2012. You can subscribe to 
[2]Zero Day's main feed , or follow me on Twitter: 

01. [3]Security flaw found in Amazon's Kindle Touch 

02. [4]New contacts stealing Android malware spotted in 
the wild 

03. [5]Firefox 14 fixes 5 critical security vulnerabilities 

04. [6]Bogus Google Files site earns revenue through 
premium rate SMS micro payments 

05. [7]Research: 80 % of Carberp infected computers had 
antivirus software installed 
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Summarizing Webroot's Threat Blog Posts for July 
(2012-08-23 19:05) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog forjuly, 2012. You can 
subscribe to 



























my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Cybercriminals launch managed SMS flooding 
services 

02. [4]117,000 unique U.S visitors offered for malware 
conversion 

03. [5]Phishing campaign targeting Gmail, Yahoo, AOL and 
Hotmail spotted in the wild 

04. [6]What's the underground market's going rate for a 
thousand U.S based malware infected hosts? 

05. [7]Spamvertised American Airlines themed emails lead 
to Black Hole exploit kit 

06. [8]Online dating scam campaign currently circulating i 
the wild 

07. [9]New Russian service sells access to compromised 
social networking accounts 

08. [10]Cybercriminals impersonate UPS in client-side 
exploits and malware serving spam campaign 

09. [ll]Russian Ask.fm spamming tool spotted in the wild 

10. [12]Spamvertised Intuit themed emails lead to Black 
Hole exploit kit 

11. [13]Cybercriminals impersonate Booking.com, serve 
malware using bogus 'Hotel Reservation Confirmation' 


themed emails 



12. [14]Spamvertised Craigslist themed emails lead to Black 
Hole exploit kit 

13. [15]Cybercriminals impersonate law enforcement, 
spamvertise malware-serving 'Speeding Ticket' themed 
emails 

14. [16]Spamvertised 'Download your USPS Label' themed 
emails serve malware 

15. [17]Cybercriminals target Twitter, spread thousands of 
exploits and malware serving tweets 
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16. [18]Russian spammers release Skype spamming tool 

17. [19]Spamvertised 'Your Ebay funds are cleared' themed 
emails lead to Black Hole exploit kit 
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Dissecting 'Operation Ababil' - an OSINT Analysis 
(2012-09-28 00:25) 









































Provoked by a questionable online video posted on YouTube, 
Muslims from the around the world united in an 

apparent [l]opt-in botnet crowdsourcing campaign 

aiming to launch a DDoS (denial of service attack) against 

YouTube for keeping the video online, and against several 

[2] major U.S banks and financial institutions. 

Dubbed " Operation Ababil ", and operated by the Izz ad-Din 
al-Qassam a.k.a Qassam Cyber Fighters , the campaign 
appear to have had a limited, but highly visible impact on 
the targeted web sites. Just like in every other 

crowdsourced opt-in botnet campaign such as the 11 

[3] Coordinated Russia vs Georgia cyber attack in 
progress", the "[4]lranian opposition launches 
organized cyber attack against pro-Ahmadinejad 
sites", the "[5]Electronic Jihad v3.0 - What Cyber Jihad 
Isn't" campaign, and the "[6]The DDoS Attack Against 
CNN.com" campaign, political sentiments over the 
attribution element seem to have orbited around the notion 
that it was [7]nation-sponsored by 

the Iranian government. 

What's so special about this attack? Did the individuals 
behind it poses sophisticated hacking or coding abili¬ 
ties? Was the work of hacktivists crowdsourcing bandwidth, 
or was it actually sponsored by the Iranian government? 

Can we even talk about attack attribution given that the 
group claiming responsibility for the attacks doesn't have a 


strong digital fingerprint? 



In this post, I'll perform an OSINT (open source intelligence) 
analysis aiming to expose one of the individuals 

part of the group that organized the campaign, spread their 
propaganda message to as many Muslim Facebook 

groups as possible, and actually claim responsibility for the 
attacks once they took place. 

The campaign originally began with a message left on 
Pastebin.com by the Qassam Cyber Fighters group an¬ 
nouncing "Operation Ababil": 
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The original message left is as follows: 

" Operation Ababil, The second weekln the previous 
announcements we stated that we will not tolerate insulting 

exalted character of the prophet of mercy and kindness. 

Due to the insult, we planned and accomplished a series of 

cyber operations against the insulting country's credit and 
financial centers.Some U.S. officials tried to divert people's 
attention from the subject and claimed that the main aim of 
the operation was not deal to insults but it had other 

intentions. 

The officials claimed that certain countries have taken these 
measures to solve their internal problems. We 

strongly reject the American officials' insidious attempts to 
deceive public opinion. We declare that the kindness and 


love of Muslims and free-minded people of the world to the 
great prophet of Islam is much more than their violent 

anger be deflected and controlled by such deceptive 
tricks.Insult to a prophet is not acceptable especially when 
it is 

the Last prophet Muhammad (Peace Be upon Him). 

So as we promised before, the attack will be continued until 
the removal of that sacrilegious movie from the 

Internet. Therefore, we suggest a Timetable for this week 
attacks. Knowing which times the banks and other targets 

are out of service, the customers of targeted sites also can 
manage to do their jobs as well and have a rest while the 

specific organization is under attack. We shall attack for 8 
hours daily, starting at 2:30 PM GMT, every day. 

We repeat again the attacks will continue for sure till the 
removal of that sacrilegious movie. We invite ail cyberspace 

workers to join us in this Proper Act. If America's arrogant 
government do not submit, the attack will be large and 

larger and will include other evil countries like Israel, French 
and U.Kingdom indeed. Tuesday 9/25/2012 : attack to 

Wells Fargo site, www.wellsfargo.com Wednesday 9/26/2012 
: attack to U.S. Bank site, www.usbank.comThursday 

9/27/2012 : attack to PNC site, www.pnc.com Weekends: 
planning for the next week' attacks. Mrt. Izz ad-Din 


al-Qassam Cyber Fightersf 



Periodically, the group also released update notes 
for the campaigns currently taking place: 

The original message published is as follows: 
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" Operation Ababil" started over BoA 
:http://pastebin. com/mCHia4 1/1/5 
http://pastebin.com/wMma9zyGln the second 

step we attacked the largest bank of the united states, the 
"chase" bank. These series of attacks will continue untill the 
Erasing of that nasty movie from the Internet. The site 
"www.chase.com" is down and also Online banking at 

"chaseoniine.chase.com" is being decided to be Offline 
.'Down with modern infidels. # # # Cyber fighters of Izz ad¬ 
din Al qassam # # #" 

Second statement released by the group: 

The original message published is as follows: 

" Dear Muslim youths, Muslims Nations and are 
noblemenWhen Arab nations rose against their corrupt 
regimes 

(those who support Zionist regime) at the other hand when, 
Crucify infidels are terrified and they are no more 

supporting human rights. United States of America with the 
help of Zionist Regime made a Sacrilegious movie 

insulting ail the religions not only Islam.All the Muslims 
worldwide must unify and Stand against the action, Muslims 


must do whatever is necessary to stop spreading this 
movie. 

We will attack them for this insult with all we have.All the 
Muslim youths who are active in the Cyber world 

will attack to American and Zionist Web bases as much as 
needed such that they say that they are sorry about that 

insult. We, Cyber fighters of Izz ad-din Al qassam will attack 
the Bank of America and New York Stock Exchange for 

the first step. These Targets are properties of American- 
Zionist Capitalists. This attack will be started today at 2 pm. 

GMT. This attack will continue till the Erasing of that nasty 
movie. Beware this attack can vary in type. Down with 

modern infidels. " 

Clearly, the group behind the campaigns aimed to deliver 
concise propaganda to prospective Internet con¬ 
nected users who would later on be instructed on how to 
participate in the DDoS attacks. Let's assess the potential 

of the distributed DDoS tool that was used in the campaign. 

Sample screenshot of the DDoS script in Arabic: 
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Inside the .html file, we can see that there are only three 
web addresses that will be targeted in their campaign: 


Detection rate for the DDoS script: 

youtube.html - [8]MD5: 
C3fd7601b4aefe70e4a8f6d73bf5c997 

Detected by 6 out of 43 antivirus scanners as HTool-Loic; 
Hacktool.Generic; TROJ GEN.F47V0924 

Originally, the attack relied on a static recruitment message 
which included links to the DIY DDoS script lo¬ 
cated on 4shared.com and Mediafire.com. What's 
particularly interesting is the fact that the files were 
uploaded by a user going under the handle of 11 Marzi 
Mahdavi //". It's important to point out that these static links 
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distributed as part of the recruitment campaign across 
multiple Muslim-friendly Facebook groups. 

Thanks to this fact, we could easily identify the user's 
Facebook account, and actually spot the original message 

seeking participation in the upcoming attacks. 

Marzi Mahdavi M's Facebook account: 

Sample shared Wall post seeking participation in the 
upcoming DDoS campaign: 
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Sample blog post enticing users to participate: 
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Marzi Mahdavi II has once referenced a link pointing to the 
same blog, clearly indicating that he's following the 

ongoing recruitment campaigns across multiple Web sites: 

Second blog post enticing users to participate in the 
DDoS campaign: 
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This very latest example of Iran's hacktivist community 
understanding of the cyber operations, once again lead me 

to the conclusion that what we've got here is either the fact 
that Iran's hacktivist community is lacking behind with 

years compared to sophisticated Eastern European hacking 
teams and cybercrime-friendly communities, or that Iran 

is on purposely demonstrating low cyber operation 
capabilities in an attempt to trick the Western world into 
thinking 

that it's still in a "catch up mode" with the rest of the world 
when it comes to offensive cyber operations. 

Did these coordinated DDoS campaigns actually had any 
impact on the targered web sites? According to data 

from the Host-Tracker, they seem to have achieved limited, 
but visible results, a rather surprising fact given the low 

profile DDoS script released by the campaigners. 


Sample Host-Tracker report for a targeted web site 
during the campaign: 
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Second Host-Tracker report for a targeted web site 
during the campaign: 
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Third Host-Tracker report for a targeted web site 
during the campaign: 
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Fourth Host-Tracker report for a targeted web site 
during the campaign: 
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Fifth Host-Tracker report for a targeted web site 
during the campaign: 

146 


E 


Is the Iranian government really behind this campaign, or 
was it actually the work of amateurs with outdated 

and virtually irrelevant technical skills? Taking into 
consideration the previous [9]DDoS campaign launched 


by 


Iranian hacktivists in 2009, in this very latest one we 
once again see a rather limited understanding of cyber 

operations taking into consideration the centralized nature 
of the chain of command in this group. 

What's also worth pointing out is the fact that this is the first 
public appearance of the group that claims re¬ 
sponsibility for these attacks. Considering this and the lack 
of a strong digital fingerprint for the group in question, 

virtually anyone on the Internet can [10]engineer cyber 
warfare tensions between Iran and the U.S, by 

basically 

impersonating a what's believed to be an Iranian group. 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/attack-of-the-opt-in- 
botnets/6268 
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2. http://www.reuters.com/article/2Q12/09/21/us-iran- 
c vberattacks-idUSBRE88K12H2012Q921 

3. http://www.zdnet.com/blo a /securitv/coordinated-russia- 
vs-aeora ia-cvber-attack-m-pro a ress/1670 

4. http://www.zdnet.com/blo a /securitv/iranian-o p position- 
launches-or a anized-cvber-attack-a a ainst-pro-ahmadin 


ei ad-sites/3613 



























5. http://ddanchev.blo as pot.com/2QQ7/ll/electronic- i ihad- 
v3Q-what-cvber- i ihad.html 

6. http://ddanchev.blo as pot.com/2QQ8/04/ddos-attack- 
aa ainst-cnncom.html 

7. 

http://www.foxbusiness.com/industries/2Q12/Q9/24/lieberma 

n-blame-iran-for-cvber-attacks-on-bank-america-c 

hase/ 

8 . 
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1348697936/ 
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ei ad-sites/3613 

10. http://www.zdnet.com/blo a /securitv/should-a-tar a eted- 
countrv-strike-back-at-the-cvber-attackers/6194 

11. http://ddanchev.blo as pot.com/ 

12. http://twitter.com/danchodanchev 
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Dissecting 'Operation Ababil' - an OSINT Analysis 
(2012-09-28 00:25) 







































Provoked by a questionable online video posted on YouTube, 
Muslims from the around the world united in an 

apparent [l]opt-in botnet crowdsourcing campaign 

aiming to launch a DDoS (denial of service attack) against 

YouTube for keeping the video online, and against several 

[2] major U.S banks and financial institutions. 

Dubbed " Operation Ababil ", and operated by the Izz ad-Din 
al-Qassam a.k.a Qassam Cyber Fighters , the campaign 
appear to have had a limited, but highly visible impact on 
the targeted web sites. Just like in every other 

crowdsourced opt-in botnet campaign such as the 11 

[3] Coordinated Russia vs Georgia cyber attack in 
progress", the "[4]lranian opposition launches 
organized cyber attack against pro-Ahmadinejad 
sites", the "[5]Electronic Jihad v3.0 - What Cyber Jihad 
Isn't" campaign, and the "[6]The DDoS Attack Against 
CNN.com" campaign, political sentiments over the 
attribution element seem to have orbited around the notion 
that it was [7]nation-sponsored by 

the Iranian government. 

What's so special about this attack? Did the individuals 
behind it poses sophisticated hacking or coding abili¬ 
ties? Was the work of hacktivists crowdsourcing bandwidth, 
or was it actually sponsored by the Iranian government? 

Can we even talk about attack attribution given that the 
group claiming responsibility for the attacks doesn't have a 


strong digital fingerprint? 



In this post, I'll perform an OSINT (open source intelligence) 
analysis aiming to expose one of the individuals 

part of the group that organized the campaign, spread their 
propaganda message to as many Muslim Facebook 

groups as possible, and actually claim responsibility for the 
attacks once they took place. 

The campaign originally began with a message left on 
Pastebin.com by the Qassam Cyber Fighters group an¬ 
nouncing "Operation Ababil": 
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The original message left is as follows: 

" Operation Ababil, The second weekln the previous 
announcements we stated that we will not tolerate insulting 

exalted character of the prophet of mercy and kindness. 

Due to the insult, we planned and accomplished a series of 

cyber operations against the insulting country's credit and 
financial centers.Some U.S. officials tried to divert people's 
attention from the subject and claimed that the main aim of 
the operation was not deal to insults but it had other 

intentions. 

The officials claimed that certain countries have taken these 
measures to solve their internal problems. We 

strongly reject the American officials' insidious attempts to 
deceive public opinion. We declare that the kindness and 


love of Muslims and free-minded people of the world to the 
great prophet of Islam is much more than their violent 

anger be deflected and controlled by such deceptive 
tricks.Insult to a prophet is not acceptable especially when 
it is 

the Last prophet Muhammad (Peace Be upon Him). 

So as we promised before, the attack will be continued until 
the removal of that sacrilegious movie from the 

Internet. Therefore, we suggest a Timetable for this week 
attacks. Knowing which times the banks and other targets 

are out of service, the customers of targeted sites also can 
manage to do their jobs as well and have a rest while the 

specific organization is under attack. We shall attack for 8 
hours daily, starting at 2:30 PM GMT, every day. 

We repeat again the attacks will continue for sure till the 
removal of that sacrilegious movie. We invite ail cyberspace 

workers to join us in this Proper Act. If America's arrogant 
government do not submit, the attack will be large and 

larger and will include other evil countries like Israel, French 
and U.Kingdom indeed. Tuesday 9/25/2012 : attack to 

Wells Fargo site, www.wellsfargo.com Wednesday 9/26/2012 
: attack to U.S. Bank site, www.usbank.comThursday 

9/27/2012 : attack to PNC site, www.pnc.com Weekends: 
planning for the next week' attacks. Mrt. Izz ad-Din 


al-Qassam Cyber Fightersf 



Periodically, the group also released update notes 
for the campaigns currently taking place: 

The original message published is as follows: 
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" Operation Ababil" started over BoA 
:http://pastebin. com/mCHia4 1 / 1/5 
http://pastebin.com/wMma9zyGln the second 

step we attacked the largest bank of the united states, the 
"chase" bank. These series of attacks will continue untill the 
Erasing of that nasty movie from the Internet. The site 
"www.chase.com" is down and also Online banking at 

"chaseoniine.chase.com" is being decided to be Offline 
.'Down with modern infidels. # # # Cyber fighters of Izz ad¬ 
din Al qassam # # #" 

Second statement released by the group: 

The original message published is as follows: 

" Dear Muslim youths, Muslims Nations and are 
noblemenWhen Arab nations rose against their corrupt 
regimes 

(those who support Zionist regime) at the other hand when, 
Crucify infidels are terrified and they are no more 

supporting human rights. United States of America with the 
help of Zionist Regime made a Sacrilegious movie 

insulting ail the religions not only Islam.All the Muslims 
worldwide must unify and Stand against the action, Muslims 


must do whatever is necessary to stop spreading this 
movie. 

We will attack them for this insult with all we have.All the 
Muslim youths who are active in the Cyber world 

will attack to American and Zionist Web bases as much as 
needed such that they say that they are sorry about that 

insult. We, Cyber fighters of Izz ad-din Al qassam will attack 
the Bank of America and New York Stock Exchange for 

the first step. These Targets are properties of American- 
Zionist Capitalists. This attack will be started today at 2 pm. 

GMT. This attack will continue till the Erasing of that nasty 
movie. Beware this attack can vary in type. Down with 

modern infidels. " 

Clearly, the group behind the campaigns aimed to deliver 
concise propaganda to prospective Internet con¬ 
nected users who would later on be instructed on how to 
participate in the DDoS attacks. Let's assess the potential 

of the distributed DDoS tool that was used in the campaign. 

Sample screenshot of the DDoS script in Arabic: 
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Inside the .html file, we can see that there are only three 
web addresses that will be targeted in their campaign: 


Detection rate for the DDoS script: 

youtube.html - [8]MD5: 
C3fd7601b4aefe70e4a8f6d73bf5c997 

Detected by 6 out of 43 antivirus scanners as HTool-Loic; 
Hacktool.Generic; TROJ GEN.F47V0924 

Originally, the attack relied on a static recruitment message 
which included links to the DIY DDoS script lo¬ 
cated on 4shared.com and Mediafire.com. What's 
particularly interesting is the fact that the files were 
uploaded by a user going under the handle of 11 Marzi 
Mahdavi IP'. It's important to point out that these static links 
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distributed as part of the recruitment campaign across 
multiple Muslim-friendly Facebook groups. 

Thanks to this fact, we could easily identify the user's 
Facebook account, and actually spot the original message 

seeking participation in the upcoming attacks. 

Marzi Mahdavi M's Facebook account: 

Sample shared Wall post seeking participation in the 
upcoming DDoS campaign: 
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Sample blog post enticing users to participate: 
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Marzi Mahdavi II has once referenced a link pointing to the 
same blog, clearly indicating that he's following the 

ongoing recruitment campaigns across multiple Web sites: 

Second blog post enticing users to participate in the 
DDoS campaign: 
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This very latest example of Iran's hacktivist community 
understanding of the cyber operations, once again lead me 

to the conclusion that what we've got here is either the fact 
that Iran's hacktivist community is lacking behind with 

years compared to sophisticated Eastern European hacking 
teams and cybercrime-friendly communities, or that Iran 

is on purposely demonstrating low cyber operation 
capabilities in an attempt to trick the Western world into 
thinking 

that it's still in a "catch up mode" with the rest of the world 
when it comes to offensive cyber operations. 

Did these coordinated DDoS campaigns actually had any 
impact on the targered web sites? According to data 

from the Host-Tracker, they seem to have achieved limited, 
but visible results, a rather surprising fact given the low 

profile DDoS script released by the campaigners. 


Sample Host-Tracker report for a targeted web site 
during the campaign: 
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Second Host-Tracker report for a targeted web site 
during the campaign: 
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Third Host-Tracker report for a targeted web site 
during the campaign: 
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Fourth Host-Tracker report for a targeted web site 
during the campaign: 
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Fifth Host-Tracker report for a targeted web site 
during the campaign: 
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Is the Iranian government really behind this campaign, or 
was it actually the work of amateurs with outdated 

and virtually irrelevant technical skills? Taking into 
consideration the previous [9]DDoS campaign launched 


by 


Iranian hacktivists in 2009, in this very latest one we 
once again see a rather limited understanding of cyber 

operations taking into consideration the centralized nature 
of the chain of command in this group. 

What's also worth pointing out is the fact that this is the first 
public appearance of the group that claims re¬ 
sponsibility for these attacks. Considering this and the lack 
of a strong digital fingerprint for the group in question, 

virtually anyone on the Internet can [10]engineer cyber 
warfare tensions between Iran and the U.S, by 

basically 

impersonating a what's believed to be an Iranian group. 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/attack-of-the-opt-in- 
botnets/6268 

161 

2. http://www.reuters.com/article/2Q12/Q9/21/us-iran- 
c vberattacks-idUSBRE88K12H20120921 

3. http://www.zdnet.com/blo a /securitv/coordinated-russia- 
vs-aeora ia-cvber-attack-m-pro a ress/1670 

4. http://www.zdnet.com/blo a /securitv/iranian-o p position- 
launches-or a anized-cvber-attack-a a ainst-pro-ahmadin 


ei ad-sites/3613 



























5. http://ddanchev.blo as pot.com/2QQ7/ll/electronic- i ihad- 
v3Q-what-cvber- i ihad.html 

6. http://ddanchev.blo as pot.com/2QQ8/04/ddos-attack- 
aa ainst-cnncom.html 

7. 

http://www.foxbusiness.com/industries/2Q12/Q9/24/lieberma 

n-blame-iran-for-cvber-attacks-on-bank-america-c 

hase/ 

8 . 

https://www.virustotal.com/file/a3be8deb4ebc8deldQdl946 

7da606Q33c8938cf74dl489761fbc9el95d7dlc75/analvsis/ 

1348697936/ 

9. http://www.zdnet.com/blo a /securitv/iranian-o p position- 
launches-or a anized-cvber-attack-a a ainst-pro-ahmadin 

ei ad-sites/3613 

10. http://www.zdnet.com/blo a /securitv/should-a-tar a eted- 
countrv-strike-back-at-the-cvber-attackers/6194 

11. http://ddanchev.blo as pot.com/ 

12. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for August 
(2012-09-28 01:43) 







































The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for August, 2012. You can subscribe 
to 

[2] Zero Day's main feed , or follow me on Twitter: 

01. [3]BlackBerry users targeted with malware-serving email 
campaign 

02. [4]Java zero day vulnerability actively used in targeted 
attacks 



03. [5]Loozfon Android malware targets Japanese female 
users 

04. [6]Researcher reports a CSRF vulnerability in Facebook's 
App Center, earns $5,000 

05. [7]Cybercriminals impersonate popular security 
vendors, serve malware 

This post has been reproduced from [8]Dancho 
Danchev's blog. Follow him [9]on Twitter. 

1. http://zdnet.com/blo a /securit v 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blackberrv-users-tar a eted-with- 
malware-servin a -email-campai a n-7000003154/ 

4. http://www.zdnet.com/ i ava-zero-dav-vulnerabilit v- 
activelv-used-in-tar a eted-attacks-7000003233/ 

5. http://www.zdnet.com/loozfon-android-malware-tar a ets- 
ia panese-female-users-7000003236/ 

6. http://www.zdnet.com/researcher-reports-a-csrf- 
vulnerabil iiv- i n-facebooks-a p p-center-earns-5Q0Q- 
700000324 
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1 . http://www.zdnet.com/cvbercriminals-impersonate- 
po pular-securitv-vendors-serve-malware-70Q00Q3433/ 


8. http://ddanchev.blo as pot.com/ 
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Summarizing Webroot's Threat Blog Posts for 
August (2012-09-28 01:54) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for August, 2012. You can 
subscribe 

to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Spamvertised AICPA themed emails lead to Black 
Hole exploit kit 

02. [4]Spamvertised 'PayPal has sent you a bank transfer' 
themed emails lead to Black Hole exploit kit 

03. [5]Ongoing spam campaign impersonates Linkedln, 
serves exploits and malware 

04. [6]MiIIions of spamvertised emails lead to 
W32/Casonline 

05. [7]Cybercriminals impersonate AT &T's Billing Service, 
serve exploits and malware 

06. [8]IRS themed spam campaign leads to Black Hole 
exploit kit 

07. [9]Cybercriminals spamvertise bogus greeting cards, 
serve exploits and malware 



08. [10]Spamvertised 'Federal Tax Payment Rejected' 
themed emails lead to Black Hole exploit kit 

09. [llJSpamvertised 'Fwd: Scan from a Hewlett-Packard 
ScanJet' emails lead to Black Hole exploit kit 

10. [12]Spamvertised 'Royal Mail Shipping Advisory' 
themed emails serve malware 

11. [13]Cybercriminals impersonate Intuit Market, mass mail 
millions of exploits and malware serving emails 

12. [14]Cybercriminals spamvertise PayPay themed 
'Notification of payment received' emails, serve malware 

13. [15]Cybercriminals impersonate UPS, serve malware 

This post has been reproduced from [16]Dancho 
Danchev's blog. Follow him [17Jon Twitter. 
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6. http://blo a .webroot.com/2Q12/Q8/Q9/millions-of- 
s pamvertised-emails-lead-to-w32casonline/ 

7. http://blo a .webroot.com/2Q12/Q8/lQ/cvbercriminals- 
impersonate-atts-billin a -service-serve-exploits-and-mal 

ware/ 

8. http://blo a .webroot.com/2Q12/Q8/13/irs-themed-spam- 
campai a n-leads-to-black-hole-exploit-kit/ 

9. http://blo a .webroot.com/2Q12/Q8/21/cvbercnminals- 
s pamvertise-bo a us- a reetin a -cards-serve-exploits-and-mal 

ware/ 

10. http://blo a .webroot.com/2012/Q8/24/spamvertised- 
federal-tax- pa vment-re i ected-themed-emails-lead-to-black- 

hole-exploit-kit/ 

11 . 

http://blo a .webroot.com/2Q12/Q8/27/spamvertised-fwd- 

scan-from-a-hewlett-packard-scan i et-emails-lead-to- 

black-hole-exploit-kit/ 

12. http://blo a .webroot.com/2012/Q8/28/spamvertised- 
ro val-mail-shi p pin a -advisorv-themed-emails-serve-malware/ 

13. http://blo a .webroot.com/2012/Q8/29/cvbercriminals- 
impersonate-intuit-market-mass-mail-millions-of-exploit 


s-and-malware-servin a -emails/ 
























































14. http://blo a .webroot.com/2Q12/Q8/3Q/cvbercriminals- 
s pamvertise- oavpa v-themed-notification-of- pa vment-recei 

ved-emails-serve-malware/ 

15. http://blo a .webroot.com/2Q12/Q8/31/cvbercriminals- 
impersonate-ups-serve-malware/ 

16. http://ddanchev.blo as pot.com/ 

17. http://twitter.com/danchodanchev 
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Summarizing Webroot's Threat Blog Posts for 
September (2012-10-01 14:18) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for September, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Spamvertised 'Wire Transfer Confirmation'themed 
emails lead to Black Hole exploit kit 

02. [4]lntuit themed 'QuickBooks Update: Urgent' emails 
lead to Black Hole exploit kit 

03. [5]Cybercriminals resume spamvertising bogus 
greeeting cards, serve exploits and malware 

















04. [6]Cybercriminals abuse Skype's SMS sending feature, 
release DIY SMS flooders 

05. [7]New Russian service sells access to thousands of 
automatically registered accounts 

06. [8]Spamvertised 'Your Fedex invoice is ready to be paid 
now' themed emails lead to Black Hole Exploit kit 

168 

07. [9]New Russian DIY SMS flooder using ICQ's SMS 
sending feature spotted in the wild 

08. [10]Spamvertised 'US Airways reservation confirmation' 
themed emails serve exploits and malware 

09. [ll]Cybercriminals impersonate FDIC, serve client-side 
exploits and malware 

10. [12]Managed Ransomware-as-a-Service spotted in the 
wild 

11. [13]A peek inside a boutique cybercrime-friendly E-shop 
- part four 

12. [14]New E-shop selling stolen credit cards data spotted 
in the wild 

13. [15]From Russia with iPhone selling affiliate networks 

14. [16]New Russian DIY DDoS bot spotted in the wild 
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Dissecting 'Operation Ababil' - an OSINT Analysis - 
Part Two (2012-10-26 15:36) 

With more crowdsourced intelligence on "Operation Ababil" 
published in the recent weeks, it's time to revisit the 









































campaign's core strategy for harnessing enough bandwidth 
to successfully take down major U.S financial institutions. 

As you can remember, in [l]Part One of the OSINT 
analysis for "Operation Ababil" I emphasized on the 

crowdsourcing campaign launched by Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters, which led to the successful 

DDoS attack against these institutions. It appears that this is 
just one of the many stages of the campaign. 

According to security researchers from Proxelic, the 
attackers also relied on [2]a PHP based DDoS attack 
script known 

as "itsoknoproblembro" that was installed on servers 
susceptible to exploitation through the Bluestork Joomla 
template. By combining crowdsourced bandwidth and 
bandwidth from the compromised servers, the attackers 

managed to successfully achieve their objectives. 

The DDoS script in question,"itsoknoproblembro", has been 
publicly available as a download for months be¬ 
fore the attacks started, indicating that it was not on 
purposely coded to be used in the campaign against major 
U.S 

financial institutions. 

Detection rate: PHP _DDoS.html - [3]MD5: 
9ebab9f37f2bl7529ccbcdf9209891be - detected by 9 
out of 44 antivirus 



scanners as PHP/Obfuscated.F; 

Heuristic.BehavesLike.JS.Suspicious. A 

Next to Prolexic's claims, [4]th3j35t3r also published an 
analysis of the situation that's primarily relying on 

wishful thinking and social engineering, claiming that 
Anonymous supplied the operators of "Operation Ababil" 
with DDoS bandwidth by using a service called 
Multiboot.me - 108.162.193.85; 108.162.193.185, 
AS13335. 

Sample screenshots of the Multiboom.me's GUI: 
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With "Operation Ababil" continuing to fuel political tensions 
between the U.S and Iran, which is blamed for orga¬ 
nizing the launching these attacks, it's worth emphasizing 
on the basics of [5]'false-flag' cyber operations, and 

[6]"aggregate-and-forget" type of botnets. 

When was the first time you heard of Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - 

right after they started their crowdsourcing campaign. With 
the group lacking any significant digital fingerprint prior 

to these attacks, virtually anyone can localize their 
objectives with a little twist of politics and propaganda, and 


easily 


set the foundations for what is now perceived as an Iranian 
cyber operation. 

Moreover, their bandwidth acquisition techniques clearly 
indicate that the attackers are aware of the dynam¬ 
ics of modern cyber operations in general, and by doing so, 
chose to acquire bandwidth without outsourcing their 

needs to ubiquitous and sophisticated [7]Russian DDoS 
on demand services, which could have led to the easy 

identification of the service in question, next to the 
cybercriminals behind it. 

Updates will be posted as soon as new intel becomes 
available. 
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Dissecting 'Operation Ababil' - an OSINT Analysis - 
Part Two (2012-10-26 15:36) 

With more crowdsourced intelligence on "Operation Ababil" 
published in the recent weeks, it's time to revisit the 




































campaign's core strategy for harnessing enough bandwidth 
to successfully take down major U.S financial institutions. 

As you can remember, in [l]Part One of the OSINT 
analysis for "Operation Ababil" I emphasized on the 

crowdsourcing campaign launched by Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters, which led to the successful 

DDoS attack against these institutions. It appears that this is 
just one of the many stages of the campaign. 

According to security researchers from Proxelic, the 
attackers also relied on [2]a PHP based DDoS attack 
script known 

as "itsoknoproblembro" that was installed on servers 
susceptible to exploitation through the Bluestork Joomla 
template. By combining crowdsourced bandwidth and 
bandwidth from the compromised servers, the attackers 

managed to successfully achieve their objectives. 

The DDoS script in question,"itsoknoproblembro", has been 
publicly available as a download for months be¬ 
fore the attacks started, indicating that it was not on 
purposely coded to be used in the campaign against major 
U.S 

financial institutions. 

Detection rate: PHP _DDoS.html - [3]MD5: 
9ebab9f37f2bl7529ccbcdf9209891be - detected by 9 
out of 44 antivirus 



scanners as PHP/Obfuscated.F; 

Heuristic.BehavesLike.JS.Suspicious. A 

Next to Prolexic's claims, [4]th3j35t3r also published an 
analysis of the situation that's primarily relying on 

wishful thinking and social engineering, claiming that 
Anonymous supplied the operators of "Operation Ababil" 
with DDoS bandwidth by using a service called 
Multiboot.me - 108.162.193.85; 108.162.193.185, 
AS13335. 

Sample screenshots of the Multiboom.me's GUI: 
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With "Operation Ababil" continuing to fuel political tensions 
between the U.S and Iran, which is blamed for orga¬ 
nizing the launching these attacks, it's worth emphasizing 
on the basics of [5]'false-flag' cyber operations, and 

[6]"aggregate-and-forget" type of botnets. 

When was the first time you heard of Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - 

right after they started their crowdsourcing campaign. With 
the group lacking any significant digital fingerprint prior 

to these attacks, virtually anyone can localize their 
objectives with a little twist of politics and propaganda, and 


easily 


set the foundations for what is now perceived as an Iranian 
cyber operation. 

Moreover, their bandwidth acquisition techniques clearly 
indicate that the attackers are aware of the dynam¬ 
ics of modern cyber operations in general, and by doing so, 
chose to acquire bandwidth without outsourcing their 

needs to ubiquitous and sophisticated [7]Russian DDoS 
on demand services, which could have led to the easy 

identification of the service in question, next to the 
cybercriminals behind it. 

Updates will be posted as soon as new intel becomes 
available. 
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Summarizing ZDNet's Zero Day Posts for October 
(2012-11-02 01:47) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for October, 2012. You can subscribe 
to 

[2] Zero Day's main feed , or follow me on Twitter: 

01. [3]Report: Large US bank hit by 20 different crimeware 
families 

02. [4]Localized Dorkbot malware variant spreading across 
Skype 

03. [5]Sopelka botnet drops Citadel, Feodo, and Tatanga 
crimeware variants 

04. [6]Adobe patches 6 critical security flaws in Shockwave 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 

1. http://zdnet.com/blo a /securit v 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/report-lar a e-us-bank-hit-bv-20- 
different-crimeware-families-7000005188/ 

4. http://www.zdnet.com/localized-dorkbot-malware-variant- 

s preadin a -across-sk v pe-7000006021/ 

5. http://www.zdnet.com/sopelka-botnet-drops-citadel- 
feodo-and-tatan a a-crimeware-variants-7000006260/ 

6. http://www.zdnet.com/adobe-patches-6-critical-securit v- 
flaws-in-shockwave-7000006272/ 






















179 


7. http://ddanchev.blo as pot.com/ 

8. http://twitter.com/danchodanchev 
180 


£ 


£ 


Summarizing Webroot's Threat Blog Posts for 
October (2012-11-02 02:34) 

The following is a brief summary of all of my posts at 
[lJWebroot's Threat Blog for October, 2012. You can 
subscribe 

to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Russian cybercriminals release new DIY SMS flooder 

02. [4]Upcoming Webroot presentation on Cyberjihad and 
Cyberterrorism at RSA Europe 2012 

03. [5]Recently launched E-shop sells access to hundreds of 
hacked PayPal accounts 

04. [6]New Russian service sells access to compromised 
Steam accounts 

05. [7]'Vodafone Europe: Your Account Balance' themed 
emails serve malware 

06. [8]Cybercriminals impersonate UPS, serve client-side 
exploits and malware 





07. [9]'Your video may have illegal content' themed emails 
serve malware 
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08. [10]Cybercriminals spamvertise 'Amazon Shipping 
Confirmation' themed emails, serve client-side exploits and 
malware 

09. [ll]American Airlines themed emails lead to the Black 
Hole Exploit Kit 

10. [12]Bogus Facebook notifications lead to malware 

11. [13]Spamvertised 'KLM E-ticket' themed emails serve 
malware 

12. [14]'lntuit Payroll Confirmation inquiry' themed emails 
lead to the Black Hole exploit kit 

13. [15]Malware campaign spreading via Facebook direct 
messages spotted in the wild 

14. [16]'Regarding your Friendster password' themed emails 
lead to Black Hole exploit kit 

15. [17]Russian cybercriminals release new DIY DDoS 
malware loader 

16. [18]PayPal 'Notification of payment received' themed 
emails serve malware 

17. [19]Cybercriminals impersonate Delta Airlines, serve 
malware 

18. [20]'Your UPS Invoice is Ready' themed emails serve 
malware 



19. [21]Bogus Skype 'Password successfully changed' 
notifications lead to malware 

20. [22]RSA Conference Europe 2012 - recap 

21. [23]Cybercriminals impersonate Verizon Wireless, serve 
client-side exploits and malware 

22. [24]Spamvertised 'BT Business Direct Order' themed 
emails lead to malware 

23. [25]Cybercriminals spamvertise millions of British 
Airways themed e-ticket receipts, serve malware 

24. [26]Cybercriminals spamvertise millions of bogus 
Facebook notifications, serve malware 

25. [27]Nuclear Exploit Pack goes 2.0 
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Managed Embedding of Malicious iFrames Through 
Compromised Accounts as a Service (2012-11-24 
00:55) 

a 
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Koobface Botnet Master KrotReal Back in Business, 
Distributes Ransomware And Promotes BHSEO Ser¬ 
vice/Product (2012-11-26 03:52) 

On January 09, 2012 I exposed [lJKoobface botnet 
master KrotReal. On January 16, 2012, [2]The New York 
Times 



















went public with data from Facebook Inc. exposing the 
identities of the rest of the group. What happened? With 

the botnet masters still at large, and the Koobface botnet 
currently offline, a logical question emerges - what are 

these cybercriminals up to now that they're no longer 
involved in managing Koobface? 

Cybercrime as usual! 

Continuing to [3]squeeze the cybercrime ecosystem, 

and keep known bad actors on a short leash, in this in¬ 
telligence brief I'll expose [4]Anton Nikolaevich 
Korotchenko a.k.a KrotReal's s latest activities, 
indicating that he's currently busy experimenting with two 
projects: 

• A Black Hat (SEO) Search Engine Optimization related 
service/product 

• Underground traffic exchange/pay-pay-install network 
currently distributing localized Ransomware 

Just like the case when KrotReal's real life identity was 
revealed due to a single mistake he made over a period of 

several years, namely to register a Koobface command and 
control server using his personal GMail account, in this 

intelligence brief I'll once again expose his malicious and 
fraudulent activities by profiling two of the most recently 

domains he once again registered with his personal GMail 
account. 



Let's start by profiling his Black Hat SEO service/product, 
currently hosted on one of the domains he registered in 
2011 . 

trafficconverter.in - 176.9.146.78 - Email: 
krotreal@gmail.com 

Created On:28-Jul-2011 12:37:45 UTC 

Last Updated On:28-Jun-2012 08:11:43 UTC 

Expiration Date:28-Jul-2013 12:37:45 UTC 
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The service/produce apparently allows the systematic abuse 
of legitimate blogging platforms such as Google's 

Blogger and Wordpress, next to Yoom CMS. KrotReal himself 
might be using the tool, or sell/offer access to it as a 

managed service. Does this mean he's not using it by 
himself to monetize the hijacked legitimate traffic that he's 

able to obtain through his Black Hat SEO campaigns? Not at 
all. 

More domains presumably to be used for Black Hat SEO 
purposes registered with KrotReal's personal email 

account (krotreal@gmail.com): 

superstarfind.com 


celeb-search.com 


myown-search.com 

myfindstuff.com 

network-find.com 

coolfind200309.com 

experimentsearch.com 

fashion-overview.com 
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krotpong.com 

adultpartypics.com 

findhunt.com 

How is he actually monetizing the hijacked traffic? Keep 
reading. Now it's time to expose his malicious activi¬ 
ties in the form of spreading localized Ransomware variants. 
For the record, [5]the Koobface gang distributed 

primarly scareware - there's evidence that the group was 
also involved in other [6]malicious campaigns - and even 

[7]bragged about the fact that they're not damaging 
infected user PCs. 

What's particularly interesting about profiling this 
campaign, is that it's a great example of double-layer mone¬ 
tization, as KrotReal is earning revenue through the Traffic 
Holder Adult Affiliate Program, in between serving 


client-side exploits and ultimately dropping Ransomware on 
the affected host using the same redirection chain. 

Sample malicious domain name reconnaissance: 

traffictracker.in - 176.9.146.78 (AS24940) - Email: 
krotreal@gmail.com 

Created On:22-Nov-2011 13:42:53 UTC 

Last Updated On:22-Nov-2012 22:33:25 UTC 

Expiration Date:22-Nov-2013 13:42:53 UTC 

Responding to the same IP 176.9.146.78 (AS24940): 

allcelebrity.ru 

easypereezd.ru 

Sample malicious activity redirection chain: 

hxxp ://tra ffictra cker. in/in. cgi?l 1 &parameter=nude+girls 
&CS=1 

-> 

hxxp://celeb-search. com/in. php ?source=th 
&q=nude+girls 
-> 

hxxp://celeb-search. com/in3.php ?source=th 

&q=nude+girls -> hxxp://www. trafficholder.com/in/in2.php? 
ppillow-pics _erotic -> hxxp://hit. trafficholder. com/cgi- 
bin/traffic/process.fcgi?a=ppillow &c=l &n=pics_erotic &r= 



-> hxxp://gravityexp.com/go.php?sid=12 -> 
hxxp://nosnowfevere.com/ZqRqk (exploiting [8]CVE-2008- 
5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> 
hxxp://nosnowfevere.com/ZqRqk-> 
hxxp://nosnowfe i /ere.com/EHSvFc -> 
hxxp ://n osn o wfe i /ere. com/XMDrkH 

KrotReal's Traffic Holder Adult Affiliate Network ID is 

ppillow-pics erotic. 
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Malicious domain names reconnaissance: 
gravityexp.com 


returns 

"Digital 

River 

GmbH" 

on 

its 

home 

page 


46.163.117.144 


Email: 


francesca.muglia.130@istruzione.it 

Updated Date: 30-aug-2012 

Creation Date: 30-aug-2012 

Expiration Date: 30-aug-2013 

nosnowfevere.com - 91.211.119.32 - Email: 
djbroning@definefm.com 

Updated Date: 25-nov-2012 

Creation Date: 25-nov-2012 

Expiration Date: 25-nov-2013 

Upon successful client-side exploitation, the campaign 
drops [9]MD5: cJ234a238eb8686cJ08cd4e0b8b705dal4 

- detected by 10 out of 43 antivirus scanners as 
Trojan. Win lock. 7431 

Sample screenshot displayed to users from 
geolocated countries: 
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Second screenshot of a sample page displayed to 
affected U.K users: 
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Additional malicious payload obtained from the 
campaign: 

[10] MD5: fd47fe3659d7604d93c3ce0c0581fed7 - 

detected by 4 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-5076. BBW 

[11] MD5: e47991d7fl72e893317f44ee8afe3811 - 

detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen 
[Expl] 

[12] MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - 

detected by 5 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-1723!generic 

Ransomware C &C malicious domain name 
reconnaissance: 

sarscowoy.com - currently responds to 176.28.22.32 
(AS20773); 176.28.14.42 (AS20773) - Email: 
rmasela@ymail.com 

On 2012-06-21 the domain responded to 204.13.160.28 
(AS33626), then on 2012-07-01 it changed IPs to 

46.163.113.79 (AS20773), then again on 2012-11-14 it 
changed IP to 176.28.14.42 (AS20773), followed by one last 

change on 2012-11-24 to 176.28.22.32 (AS20773) 

One more MD5 is known to have phoned back to the same 
Ransomware C &C URL - [13]MD5: 


1600577edecelefellc75158f9dd24db - detected by 28 
out of 38 antivirus scanners as Trojan:Win32/Tobfy.H 

Interestingly, the cybercriminals behind the Ransomware 
left the administration panel open to anyone who 

wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel: 
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Second screenshot of the administration panel, showing a 
directory listing, including unique and localized files for 

potential victims from multiple countries: 
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More domains are currently responding to the same 
IPs (176.28.22.32; 176.28.14.42): 

bussinesmail.org - Email: belov28@gmail.com 

elitesecuritynet.com - Email: pescifabio83@yahoo.fi 

ideasdeunion.com - Email: esbornikk@aol.com 

ineverworrynet.com - pescifabio83@yahoo.fi 

testcitycheckers.com - pescifabio83@yahoo.fi 

uneugroup.com - Email: anders_christensen@yahoo.com 

winntegroups.eu - Email: robertobona69@yahoo.com 


sexchatvideo.org - Email: daddario.maria@virgilio.it 
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it 

bestconsultingofFice.com 

apaineal.ru 

What we've got here is a great example of the following - 
when you don't fear legal prosecution for your 
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fraudulent activities over a period of several years, earning 
you potentially hundreds of thousands of dollars, you just 
launch new projects, continuing to cause more harm and 
fraudulently obtain funds from infected victims. 

For those who are interested in more details on the technical 
side of this Ransomware, you should [^con¬ 
sider going through this research. 

Hat tip to Steven Adair from [15]Shadowserver for the 
additional input. 

This post has been reproduced from [16]Dancho 
Danchev's blog. Follow him [17Jon Twitter. 

1. http://ddanchev.blo as pot.com/2Q12/Ql/whos-behind- 
koobface-botnet-osint.html 

2 . 

http://www.nvtimes.com/2Q12/Ql/17/technolo a v/koobface- 
a an g -that-used-facebook-to-spread-worm-operates-in- 


the-open.html? paa ewanted=all 














3. http://ddanchev.blo as pot.com/2QQ9/Ql/saueezin a- 
c vbecrime-ecosvstem-in-2QQ9.html 

4. http://ddanchev.blo as pot.com/2Q12/01/whos-behind- 
koobface-botnet-osint.html 

5. https://www. a oo a le.com/webh p? 
hl=en&tab=ww#hl=en&tbo=d&sclient= psv- 

ab&a=site:ddanchev.blo as pot.com+koobface 

+ scareware&oa = site:ddanchev.blo as pot.com+koobface+sc 
ar 

6. http://ddanchev.blo as pot.com/2QlQ/Q5/koobface- a an a- 
responds-to-lQ-thin as- vou.html 

7. http://ddanchev.blo as pot.com/2QlQ/Q5/koobface- a an a- 
responds-to-10-thin as- vou.html 

8. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2008-5353 

9. 

https://www.virustotal.com/file/7e839Q2Q0acl4fQdbf2b5abe 

9f55ec5dd3d5c87c8557f0ac8c33eacddl94bdla/analvsis/ 

1353887136/ 

10 . 

https://www.virustotal.com/file/c8dd7ae2ea8687455c4abb6 

1277bcfadll75ef3a364ff8ffelbalc40f41f0688/analvsis/ 

1353887853/ 

11 . 

https://www.virustotal.com/file/clab36aeb31e87288af7debf 

19fda85dle222dd4e4f4add5ec812d8425201al3/analvsis/ 











































1353887970/ 


12 . 

https://www.virustotal.com/file/5961570b5bcce2bb5fb95c8 

a9e4b32bb02ef6dd57180fac5df27b46bf2d6b5e2/analvsis/ 

1353888039/ 

13. 

https://www.virustotal.com/file/488a6cfe5ccl77c4d5a0c38d 

e495ab247f608ele4031b84b5a772953753799fe/analvsis/ 

14. http://www.xvlibox.com/2012/ll/multi-locker.html 

15. http://www.shadowserver.or g/ 

16. http://ddanchev.blo as pot.com/ 

17. http://twitter.com/danchodanchev 
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Koobface Botnet Master KrotReal Back in Business, 
Distributes Ransomware And Promotes BHSEO Ser¬ 
vice/Product (2012-11-26 03:52) 

On January 09, 2012 I exposed [lJKoobface botnet 
master KrotReal. On January 16, 2012, [2]The New York 
Times 

went public with data from Facebook Inc. exposing the 
identities of the rest of the group. What happened? With 

the botnet masters still at large, and the Koobface botnet 
currently offline, a logical question emerges - what are 
















these cybercriminals up to now that they're no longer 
involved in managing Koobface? 

Cybercrime as usual! 

Continuing to [3]squeeze the cybercrime ecosystem, 

and keep known bad actors on a short leash, in this in¬ 
telligence brief I'll expose [4]Anton Nikolaevich 
Korotchenko a.k.a KrotReal's s latest activities, 
indicating that he's currently busy experimenting with two 
projects: 

• A Black Hat (SEO) Search Engine Optimization related 
service/product 

• Underground traffic exchange/pay-pay-install network 
currently distributing localized Ransomware 

Just like the case when KrotReal's real life identity was 
revealed due to a single mistake he made over a period of 

several years, namely to register a Koobface command and 
control server using his personal GMail account, in this 

intelligence brief I'll once again expose his malicious and 
fraudulent activities by profiling two of the most recently 

domains he once again registered with his personal GMail 
account. 

Let's start by profiling his Black Hat SEO service/product, 
currently hosted on one of the domains he registered in 
2011 . 

trafficconverter.in - 176.9.146.78 - Email: 
krotreal@gmail.com 



Created On:28-Jul-2011 12:37:45 UTC 
Last Updated On:28-Jun-2012 08:11:43 UTC 
Expiration Date:28-Jul-2013 12:37:45 UTC 
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The service/produce apparently allows the systematic abuse 
of legitimate blogging platforms such as Google's 

Blogger and Wordpress, next to Yoom CMS. KrotReal himself 
might be using the tool, or sell/offer access to it as a 

managed service. Does this mean he's not using it by 
himself to monetize the hijacked legitimate traffic that he's 

able to obtain through his Black Hat SEO campaigns? Not at 
all. 

More domains presumably to be used for Black Hat SEO 
purposes registered with KrotReal's personal email 

account (krotreal@gmail.com): 

superstarfind.com 

celeb-search.com 

myown-search.com 

myfindstuff.com 

network-find.com 


coolfind200309.com 


experimentsearch.com 

fashion-overview.com 
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krotpong.com 

adultpartypics.com 

findhunt.com 

How is he actually monetizing the hijacked traffic? Keep 
reading. Now it's time to expose his malicious activi¬ 
ties in the form of spreading localized Ransomware variants. 
For the record, [5]the Koobface gang distributed 

primarly scareware - there's evidence that the group was 
also involved in other [6]malicious campaigns - and even 

[7]bragged about the fact that they're not damaging 
infected user PCs. 

What's particularly interesting about profiling this 
campaign, is that it's a great example of double-layer mone¬ 
tization, as KrotReal is earning revenue through the Traffic 
Holder Adult Affiliate Program, in between serving 

client-side exploits and ultimately dropping Ransomware on 
the affected host using the same redirection chain. 

Sample malicious domain name reconnaissance: 


traffictracker.in - 176.9.146.78 (AS24940) - Email: 
krotreal@gmail.com 

Created On:22-Nov-2011 13:42:53 UTC 

Last Updated On:22-Nov-2012 22:33:25 UTC 

Expiration Date:22-Nov-2013 13:42:53 UTC 

Responding to the same IP 176.9.146.78 (AS24940): 

allcelebrity.ru 

easypereezd.ru 

Sample malicious activity redirection chain: 

hxxp://traffictracker. in/in. cgi?l 1 &parameter=nude+girls 
&CS=1 

-> 

hxxp://celeb-search. com/in.php ?source=th 
&q=nude+girls 
-> 

hxxp://celeb-search. com/in3.php ?source=th 

&q=nude+girls -> hxxp://www. trafficholder.com/in/in2.php? 
ppillow-pics _erotic -> hxxp://hit. trafficholder. com/cgi- 
bin/traffic/process.fcgi?a=ppillow &c=l &n=pics_erotic &r= 
-> hxxp://gravityexp.com/go.php?sid=12 -> 
hxxp://nosnowfevere.com/ZqRqk (exploiting [8]CVE-2008- 
5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> 
hxxp://nosnowfevere. com/ZqRqk -> 



hxxp://nosnowfe i /ere.com/EHSvFc -> 
hxxp ://n osn o wfe i /ere. com/XMDrkH 

KrotReal's Traffic Holder Adult Affiliate Network ID is 

ppillow-pics erotic. 
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Malicious domain names reconnaissance: 
gravityexp.com 

returns 

"Digital 

River 

GmbH" 

on 

its 

home 

page 

46.163.117.144 


Email: 


francesca. mug I ia.130@istruzione.it 

Updated Date: 30-aug-2012 

Creation Date: 30-aug-2012 

Expiration Date: 30-aug-2013 

nosnowfevere.com - 91.211.119.32 - Email: 
djbroning@definefm.com 

Updated Date: 25-nov-2012 

Creation Date: 25-nov-2012 

Expiration Date: 25-nov-2013 

Upon successful client-side exploitation, the campaign 
drops [9]MD5: d234a238eb8686d08cd4e0b8b705dal4 

- detected by 10 out of 43 antivirus scanners as 
Trojan. Win lock. 7431 

Sample screenshot displayed to users from 
geolocated countries: 
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Second screenshot of a sample page displayed to 
affected U.K users: 
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Additional malicious payload obtained from the 
campaign: 


[10] MD5: fd47fe3659d7604d93c3ce0c0581fed7 - 

detected by 4 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-5076.BBW 

[11] MD5: e47991d7fl72e893317f44ee8afe3811 - 

detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen 
[Expl] 

[12] MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - 

detected by 5 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-1723!generic 

Ransomware C &C malicious domain name 
reconnaissance: 

sarscowoy.com - currently responds to 176.28.22.32 
(AS20773); 176.28.14.42 (AS20773) - Email: 
rmasel a@ymail.com 

On 2012-06-21 the domain responded to 204.13.160.28 
(AS33626), then on 2012-07-01 it changed IPs to 

46.163.113.79 (AS20773), then again on 2012-11-14 it 
changed IP to 176.28.14.42 (AS20773), followed by one last 

change on 2012-11-24 to 176.28.22.32 (AS20773) 

One more MD5 is known to have phoned back to the same 
Ransomware C &C URL - [13]MD5: 


1600577edecelefellc75158f9dd24db - detected by 28 
out of 38 antivirus scanners as Trojan:Win32/Tobfy.H 



Interestingly, the cybercriminals behind the Ransomware 
left the administration panel open to anyone who 

wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel: 
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Second screenshot of the administration panel, showing a 
directory listing, including unique and localized files for 

potential victims from multiple countries: 
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More domains are currently responding to the same 
IPs (176.28.22.32; 176.28.14.42): 

bussinesmail.org - Email: belov28@gmail.com 

elitesecuritynet.com - Email: pescifabio83@yahoo.fi 

ideasdeunion.com - Email: esbornikk@aol.com 

ineverworrynet.com - pescifabio83@yahoo.fi 

testcitycheckers.com - pescifabio83@yahoo.fi 

uneugroup.com - Email: anders_christensen@yahoo.com 

winntegroups.eu - Email: robertobona69@yahoo.com 

sexchatvideo.org - Email: daddario.maria@virgilio.it 


quasarnet.co - Email: valter.bars@venezia.pecavvocati.it 

bestconsultingofFice.com 

apaineal.ru 

What we've got here is a great example of the following - 
when you don't fear legal prosecution for your 
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fraudulent activities over a period of several years, earning 
you potentially hundreds of thousands of dollars, you just 
launch new projects, continuing to cause more harm and 
fraudulently obtain funds from infected victims. 

For those who are interested in more details on the technical 
side of this Ransomware, you should [^con¬ 
sider going through this research. 

Hat tip to Steven Adair from [15]Shadowserver for the 
additional input. 

1. http://ddanchev.blo as oot.com/2Q12/Ql/whos-behind- 
koobface-botnet-osint.html 

2 . 

http://www.nvtimes.com/2Q12/Ql/17/technolo a v/koobface- 
a an g -that-used-facebook-to-spread-worm-operates-in- 

the-open.html? paa ewanted = all 

3. http://ddanchev.blo as pot.com/2QQ9/Ql/saueezin a- 
c vbecrime-ecosvstem-in-2009.html 



















4. http://ddanchev.blo as DOt.com/2Q12/01/whos-behind- 
koobface-botnet-osint.html 

5. https://www. a oo a le.com/webh p? 

hl = en&tab=ww#hl = en&tbo=d&sclient= psv- 

ab&a = site:ddanchev.blo as pot.com+koobface 

+ scareware&oa = site:ddanchev.blo as pot.com+koobface+sc 
ar 

6. http://ddanchev.blo as pot.com/2010/Q5/koobface- a an a- 
responds-to-10-thin as- vou.html 

7. http://ddanchev.blo as pot.com/2010/Q5/koobface- a an a- 
responds-to-10-thin as- vou.html 

8. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2008-5353 

9. 

https://www.virustotal.com/file/7e8390200acl4f0dbf2b5abe 

9f55ec5dd3d5c87c8557f0ac8c33eacddl94bdla/analvsis/ 

1353887136/ 

10 . 

https://www.virustotal.com/file/c8dd7ae2ea8687455c4abb6 

1277bcfadll75ef3a364ff8ffelbalc40f41f0688/analvsis/ 

1353887853/ 

11 . 

https://www.virustotal.com/file/clab36aeb31e87288af7debf 

19fda85dle222dd4e4f4add5ec812d8425201al3/analvsis/ 


1353887970/ 








































12 . 

https://www.virustotal.com/file/5961570b5bcce2bb5fb95c8 

a9e4b32bb02ef6dd57180fac5df27b46bf2d6b5e2/analvsis/ 

1353888039/ 

13. 

https://www.virustotal.com/file/488a6cfe5ccl77c4d5a0c38d 

e495ab247f608ele4031b84b5a772953753799fe/analvsis/ 

14. http://www.xvlibox.com/2012/ll/multi-locker.html 

15. http://www.shadowserver.or g/ 
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Summarizing ZDNet's Zero Day Posts for November 
(2012-11-30 15:55) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for November, 2012. You can 
subscribe to 

[2] Zero Day's main feed , or follow me on Twitter: 

01. [3]Opera for Mac OS X patches six security 
vulnerabilities 

02. [4]Cybercriminals start spamvertising Xmas themed 
scams and malware campaigns 

03. [5]Apple releases QuickTime 7.7.3 for Windows, patches 
critical security vulnerabilities 

04. [6]Active XSS flaw discovered on eBay 












05. [7]A patched browser - false feeling of security or a 
security utopia that actually exists? 

This post has been reproduced from [8]Dane ho 
Danchev's blog. Follow him [9]on Twitter. 

1. http://zdnet.com/blo a /securit v 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/opera-for-mac-os-x-patches-six- 
securitv-vulnerabilities-7000007174/ 

4. http://www.zdnet.com/cvbercriminals-start-spamvertisin a- 
xmas-themed-scams-and-malware-campai a ns-7 00000717 
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5. http://www.zdnet.com/a p ple-releases-auicktime-7-7-3-for- 
windows-patches-critical-securi tv-vulnerabilities 

-7000007184/ 

6. http://www.zdnet.com/active-xss-f1aw-discovered-on- 
ebav-7000007539/ 

7. http://www.zdnet.com/a-patched-brQwser-false-feelin a -of- 
securitv-or-a-securitv-utopia-that-actuallv-exist 

s-7000007541/ 

8. http://ddanchev.blo as pot.com/ 

9. http://twitter.com/danchodanchev 


204 






































1.12 December 


205 






Summarizing Webroot's Threat Blog Posts for 
November (2012-12-01 00:31) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for November, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]BofA 'Online Banking Passcode Reset' themed emails 
serve client-side exploits and malware 

02. [4]'ADP Immediate Notification' themed emails lead to 
Black Hole Exploit Kit 

03. [5]USPS 'Postal Notification' themed emails lead to 
malware 

04. [6]'Fwd: Scan from a Xerox W. Pro' themed emails lead 
to Black Hole Exploit Kit 

05. [7]'Your Discover Card Services Blockaded' themed 
emails serve client-side exploits and malware 

06. [8]'Payroll Account Holded by Intuit' themed emails lead 
to Black Hole Exploit Kit 

07. [9]'American Express Alert: Your Transaction is Aborted' 
themed emails serve client-side exploits and malware 


08. [10]Cybercriminals abuse major U.S SMS gateways, 
release DIY Mail-to-SMS flooders 

09. [ 11 ]'Pay Pal Account Modified' themed emails lead to 
Black Hole Exploit Kit 

10. [12]Bogus Better Business Bureau themed notifications 
serve client-side exploits and malware 

11. [13]Cybercriminals spamvertise bogus eFax Corporate 
delivery messages, serve multiple malware variants 
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12. [14]Bogus IRS 'Your tax return appeal is declined' 
themed emails lead to malware 

13. [15]'Copies of Missing EPLI Policies' themed emails lead 
to Black Hole Exploit Kit 

14. [16]Cybercriminals spamvertise bogus 'Microsoft License 
Orders' serve client-side exploits and malware 

15. [17]Cybercriminals resume spamvertising 'Payroll 
Account Cancelled by Intuit' themed emails, serve client- 
side 

exploits and malware 

16. [18]Cybercriminals spamvertise millions of FDIC 'Your 
activity is discontinued' themed emails, serve client-side 

exploits and malware 

17. [19]Cybercriminals release stealthy DIY mass iFrame 
injecting Apache 2 modules 



18. [20]Multipie 'Inter-company' invoice themed campaigns 
serve malware and client-side exploits 

19. [21]Bogus Facebook 'pending notifications' themed 
emails serve client-side exploits and malware 

20. [22]Cybercriminals target U.K users with bogus 'Pay by 
Phone Parking Receipts' serve malware 

21. [23]Bogus DHL 'Express Delivery Notifications' serve 
malware 

22. [24]Cybercriminals impersonate Vodafone U.K, spread 
malicious MMS notifications 

23. [25]Cybercriminals impersonate T-Mobile U.K, serve 
malware 

24. [26]Bogus 'Meeting Reminder” themed emails serve 
malware 

25. [27]Bogus 'Intuit Software Order Confirmations' lead to 
Black Hole Exploit Kit 

26. [28]Bogus 'End of August Invoices' themed emails serve 
malware and client-side exploits 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://blo a .webroot.com/2Q12/ll/01/bofa-online-bankin a- 
passcode-reset-themed-ema i I s-serv e-client-si de-ex p 


loits-and-malware/ 









4. http://blo a .webroot.com/2Q12/ll/Q2/adp-immediate- 
notification-themed-emails-lead-to-black-hole-exploit-ki 

t L 

5. http://blo a .webroot.com/2Q12/ll/Q6/usps-POStal- 
notification-themed-emails-lead-to-malware/ 

6. http://blo a .webroot.com/2Q12/ll/07/fwd-scan-from-a- 
xerox-w-pro-themed-emails-lead-to-biack-hole-exploit-k 

it/ 

7. 

http://blo a .webroot.com/2Q12/ll/Q8/vour-discover-card- 

services-blockaded-themed-emails-serve-client-side- 


exploits-and-malware/ 

8. http://blo a .webroot.com/2Q12/ll/Q9/ pa vroll-account- 
holded-bv-intuit-themed-emails-lead-to-black-hole-ex pl 

oit-kit/ 

9. http://blo a .webroot.com/2Q12/ll/12/american-express- 
alert-vour-transaction-is-aborted-themed-emails-serve 

-client-side-exploits-and-malware/ 

10 . 

http://blo a .webroot.com/2Q12/ll/13/cvbercriminals-abuse- 

ma i or-u-s-sms- a atewavs-release-div-mail-to-sms- 

flooders/ 










































11. http://blo a .webroot.com/2012/ll/14/ pav pal-account- 
modified-themed-emails-lead-to-black-hole-exploit-kit/ 


12. http://blo a .webroot.com/2012/ll/15/bo a us-better- 
business-bureau-themed-notifications-serve-client-si de-ex 


oloits-and-malware/ 

13. http://blo a .webroot.com/2012/ll/16/cvbercriminals- 
s pamvertise-bo a us-efax-corporate-deliverv-messa a es-serv 

e-mu Itiol e-malware-variants/ 

14. 

http://blo a .webroot.com/2Q12/ll/19/bo a us-irs-vour-tax- 

return-a p peal-is-declined-themed-emails-lead-to-m 

a I ware/ 

15. 

http://blo a .webroot.com/2Q12/ll/2Q/copies-of-missin a-epli- 

policies-themed-emails-lead-to-black-hole-ex p 

loit-kit/ 

16. http://blo a .webroot.com/2012/ll/21/cvbercriminals- 
s pamvertise-bo a us-microsoft-license-orders-serv e-client 

-side-exoloits-and-malware/ 

17. http://blo a .webroot.com/2012/ll/22/cvbercriminals- 
resume-spamvertisin a-pa vroll-account-cancelled-bv-intui 
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t-themed-emails-serve-client-side-exploits-and-malware/ 



















































18. http://blo a .webroot.com/2Q12/ll/23/cvbercriminals- 
s pamvertise-millions-of-fdic-vour-activitv-is-discontin 

ued-themed-emails-serve-client-side-exploits-and-malwar 
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Upcoming Portfolio of Commercially Available 
CYBERINT Reports (2012-12-13 13:38) 

Valued blog readers, 

Over the years, you've been exposed to insightful, in-depth, 
"God Eye's View" of some of the most prolific, 

targeted, and trending cyber attacks/cybercriminal 
schemes, that shaped the way we fight and anticipate 
cybercrime 

campaigns throughout the years. 





















Although the production of such publicly available and 
socially oriented content at this blog will continue, it's 

time to raise the stakes even higher - in 2013, I'll be 
systematically making available commercially available 
CYBERINT 

assessments on multiple aspects of the cybercrime 
ecosystem. It's the stuff that will help your decision-making 

process, it's the data to help you prosecute those behind 
these fraudulent operations, it's the tactics and trends you 

don't get to read about anywhere online. 

Please, take 1 second of your precious time, and participate 
in the voting poll on the right side of the blog. 

Enjoy the holidays, and see you all in 2013! 

This post has been reproduced from [lJDancho 
Danchev's blog. Follow him [2Jon Twitter. 

1. http://ddanchev.blo as oot.com/ 

2. http://twitter.com/danchodanchev 
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Dancho Danchev's Blog Most Popular Posts for 2012 
(2012-12-28 00:26) 

The time has come to reflect on this year's most popular 
posts, and emphasize on the key points about what made 


them special. 





1. [ljWho's Behind the Koobface Botnet? - An OSINT 
Analysis - Indisputably, the exposing of Koobface botnet 

master KrotReal is this year's most popular blog post. The 
release of the post, and the [2]New York Times article 

discussing the case, immediately resulted in the shut down 

of [3]the Koobface botnet. 

2. [4]Exposing the Market for Stolen Credit Cards 
Data - Although the post was originally published in 2011, 
it's 

the second most popular for 2012, proving that factually 
presenting the existence of a growing trend, inevitably 

reaches a wider audience. 

3. [5]Dissecting 'Operation Ababil' - an OSINT 
Analysis - The OSINT analysis of 'Operation Ababil' is this 
year's 

third most popular post. The analysis correctly identified a 
key participant in certain parts of the campaign, 

although it explicitly emphasized on the fact just how easy 
is it to launch a [6]cyber false flag operation online. 

4. [7]Profiling a Vendor of Visa/Mastercard Plastics 
and Holograms - The main purpose of this post, was to 
shed 

more light into the increasing availability of "blank plastic" 
services, whose QA (Quality Assurance) processes 

sometimes outpace the OPSEC (Operational Security) efforts 
put in place by the targeted companies. 



5. [8]Pricing Scheme for a DDoS Extortion Attack - 

This post highlighted a bold, but obtained from "in the wild" 

DDoS extortion letter, indicating the degree of flexibility and 
professionalism applied by the cybercriminals be¬ 
hind it. 

6. [9]A Peek Inside the Vertex Net Loader - This post 
summarized the key features of the Vertex Net Loader, and 

emphasized on the systematic release of related DIY 
malware loaders/bots within the cybercrime ecosystem. 

7. [10]Dissecting the Ongoing Mass SQL Injection 
Attack - Regular readers of my personal blog are used to 
getting 

the latest threat intelligence regarding a particular 
widespread campaign, virtually in real-time. That was the 

main objective of this analysis, fortunately, successfully 
achieved. 

8. [lljDissecting the Massive SQL Injection Attack 
Serving Scareware - An ever-green analysis 
demonstrating 

monetization of hijacked Web traffic through a scareware 
affiliate program. 

9. [12]Koobface Botnet Master KrotReal Back in 
Business, Distributes Ransomware And Promotes 
BHSEO Ser¬ 
vice/Product - The second post in the series profiling ex- 
Koobface botnet master KrotReal's cybercrime-friendly 



operations, also gained a lot of attention, and proved that 
the lack of prosecution in this case, can, and will, 

ultimately lead to more cybercrime-friendly activities. 

10. [13]Dissecting 'Operation Ababil' - an OSINT 
Analysis - Part Two - With 'Operation Ababil' still an open 
question to many of the major media outlets, the second 
part of the analysis discussed another tool used in the 
campaign, 

with the idea to raise more awareness on the tools and 
techniques used by the attackers behind the campaign. 

Thank you all for being regular blog readers! The best is yet 
to come! See you all in 2013! 

This post has been reproduced from [14]Dancho 
Danchev's blog. Follow him [15]on Twitter. 

1. http://ddanchev.blo as pot.com/2Q12/01/whos-behind- 
koobface-botnet-osint.html 

2 . 

http://www.nvtimes.com/2012/01/17/technolo a v/koobface- 
a an a -that-used-facebook-to-spread-worm-operates-in- 

the-open.html? paa ewanted = all 
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Historical OSINT: OPSEC-Aware Money Mule 
Recruiters Hire, Host Crimeware and 
Malvertisements 

(2013-01-05 16:10) 

In the following intelligence brief, I will perform an analysis 
of the cybercriminal operations involving a group of 

individuals that operated successfully though 2009/2010, 
recruiting money mules, hosting ZeuS crimeware, and 

participating in a malvertising campaign. 

Compared to a previous analysis where I profiled the 

[l]offensive client-side exploitation campaigns 

launched by 

money mule recruiters, in this analysis I'll emphasize on yet 
another OPSEC-aware ([2]Operational Security) gang of 

cybercriminals, this time blocking access to Google and 
anti-money laundering Web sites/research, in an attempt to 

trick the newly recruited mules into thinking that they're 
working for a legitimate company, preventing them from 



obtaining info on their new "employer". 

Key summary points: 

• The group originally launched its operations in 2009, 
primary focusing on highly targeted money mule recruit¬ 
ment campaigns 

• Only two of the malicious domains involved in the 
2009/2010's campaigns are still active, with the first serving 

adult content, and the second offering name server services 
to pharmaceutical scams, indicating they're didn't 

quite left the cybercrime ecosystem just yet 

• The cybercriminals behind the campaign impersonated 
the legitimate [3]Sprott Asset Management company, 

and blocked access to its official site on mule's PCs that 
executed the malicious SSL Certificate supplied to them 

as a requirement for joining the fake company 

• Upon execution, the bogus SSL Certificate executable 
modified the HOSTS file on the affected hosts, blocking 

access to [4]ddanchev.blogspot.com and to 
[5]bobbear.co.uk to prevent potential money mules from 
reach¬ 
ing my "[6]Keeping Money Mule Recruiters on a Short 
Leash" series, and bobbear's vast archive of collected 
intelligence on money mule recruitment campaigns 

• The group hosted multiple ZeuS crimeware variants using 
the same infrastructure as the money mule recruit- 



ment campaigns, and also participated in a malvertising 
campaign 

• Although their initial 2009 operations were launched from 
(AS39134), they later on migrated to a Kazakhstan- 

based bulletproof hosting provider (AS50793) that's no 
longer in operation, although there's a high probability 

that the Kazakhstan hosting service was part of a franchise, 
and is currently operating in another part of the 

world. The Web site of the bulletproof hosting provider was 
hosted in Ukraine (AS6714), an AS also known to 

have participated in numerous crimeware campaigns 

• The malicious activity (besides their operation) was found 
for (AS39134) indicating that they probably got kicked 

out of the hosting provider for their attempts to recruit 
money mules 

• The domain name of the Kazakhstan-based bulletproof 
hosting provider (AS50793) was registered using a GMail 

account in 2010 

• The Kazakhstan-based bulletproof ISP's domain name is 
currently registered to an Iranian citizen, two years 

after the malicious activities took place, with no signs of 
malicious activity currently taking place there 

a 


215 



This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 
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Historical OSINT - Profiling an OPSEC-Unaware 
Vendor of GSM/USB ATM Skimmers and Pinpads 

(2013-01-05 20:42) 

On daily basis, I profile over a dozen of newly advertised 
(verified) vendors of ATM skimmers, indicating that this 
































market segment is still quite successful, thanks to the 
overall demand for these 'tools-of-the-trade', allowing 
potential 

cybercriminals to enter the world of ATM skimming. 

In this post part of the "Historical OSINT" series, I'll profile 
the underground market proposition of a vendor 

of GSM/USB ATM Skimmers and Pinpads, that appeared on 
my radar back in 2008, with an emphasis on the lack 

of OPSEC (Operational Security) applied by them, and the IP 
hosting changes of their main domain that took place 

throughout 2008, in particular, offer evidence of active 
multi-tasking on behalf of the same gang of cybercriminals. 

What's particularly interesting about this vendor is the fact 
that, instead of advertising across popular and 

well known cybercrime-friendly Web communities, they 
themselves created a community around the market 

proposition, and started pitching their offer across the 
public Web, a clear indication for a lack of OPSEC 
(Operational 

Security) awareness. 

On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) 
was registered using the alsaleh@gawab.com email. 

On 2009-01-07, the registration email changed to 
blanerds@hushmail.com. These emails are not known to 
have 

been used in previous cybercrime-friendly campaigns. 



Throughout 2008, the darkforum.net domain constantly 
changed IPs. The following is a complete list of the 

IP changes: 

64.74.96.241 

69.64.145.229 - IP already profiled in a [l]previously 
published analysis 

63.251.92.197 
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216.8.177.23 

69.25.142.57 

208.73.212.12 

87.242.73.96 - known [2]C &C server 
64.208.225.139 

The advertised brochure of the vendor: 

Overview of the technology involved: Here is how it ail 
works. 

Full operating instructions are included with the entire 
package, this page is here for informative purposes. The 
Card 

Reader reads ATM & credit cards and sends the data tracks 
through SMS to a phone. The pin-pad catches the pushing 


of the pin number through the keypad and also sends the 
data through SMS. 

SMS data comes to a programmable mobile phone number, 
which you will set to a safe number of yours. It is 

advised to connect your phone to a computer, and 
download the track data to your computer as it arrives. 

After 

every 2 message track+pin combo, an SMS is sent from 
each GSM device with a status update. From your computer, 

you can keep track of the whole operation. 

The GSM Kit comes with an MSR206 device and track 
writing software. From your computer, you retrieve the track 

data and pin numbers from SMS messages, and then write 
the tracks to swipe cards with the cloned ATM/Credit 

cards, you simply use the pin to cash them out at ATM 
machines. 

Receiving: 

Received Data on the computer is encrypted. For the 
decryption, there is a separate program, which is included 
on 

the software DVD. Decrypted data is then ready to be 
written on cards. 

Thus we have a secure working environment. None of your 
cashiers or crew can get the unencrypted data. 
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Only the user of the software, who controls the operation. 
This kit is built on brand new technology. We have put 

a lot of time and money into the development and design. 
As a result, this is currently the most efficient method of 

retrieving dumps and pins. 

for example the first skimmers were used with a camera, 
and on the given moment of skimmer it works with 

the transmission of data on network GSM, with the sending 
SMS or with the subtraction of data after calling it. In this 

case the complete reliability of the work of equipment, 
checked by time and experience of many people. For 
example 

now we use the multilayer printed-circuit boards, similar, as 
are used in the laptop computers or mob telephones, 

with the silver contacts and the working from the oxidation 
although previously they were altogether only old boards. 

Now for the size decrease is necessary to proceed with 
decent expenditures in order to decrease the sizes and in 
this 

case to increase reliability. 

Our skimmers were actually originally developed for 
personal use, not for sale. They were designed with the 

most robust, smallest and most efficient parts at each stage 
of the building process. 


Why small? Well, it is better to have a small unit, that fits 
discretely onto the ATM machine. Why GSM? Because it 

is possible to receive SMS at from a remote location. 
Nobody has ever been caught by police with a GSM 
skimmer, 

to the best of our knowledge. Each day our team is working 
on the development of newer and newer technologies. 

From time to time we apply our improvements to our range 
of products. Thus we from time to time change to new 

designs of housings; we improve the capability of batteries, 
or the switching system. For example, the new version of 

our software has some improvements over previous 
versions and is regularly updated. Usually clients send on 
their 

feature requests and we are frequently building them into 
our newest kits. 
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Our skimmers can read a change in the rate of card 
conduction. For example, if we insert the card slowly, and 

then accelerate it, our magnetic strip reader will read and 
correct this. We read both tracks info from both sides 

of the strip. We read reliably, with a 99.9 % correct rate of 
reading. Sending of SMS occurs from the internal 

components of two Sony Ericsson 850i units. The batteries, 
visible in some of the pictures are from Motorola 


phones. The internal circuitry of the phones is connected to 
a digital circuit and chip which receive the informa¬ 
tion from the pinpad and magnetic reader, respectfully. You 
will need 3 sim cards, pre-paid is recommended. Each 

reading sends 4 SMS messages, 1 with the track 
information, 1 with the pin, and 1 from each unit with a 
status update. 

On each sim card, you will have to save the phone number 
of your home mobile phone's sim card under the 

name "home". The internal circuitry and interface with the 
SE850i unit will look to this number to send both the track 
data and the pin numbers. 

The internal processing chip encrypts the data before 
sending sms to the computer. In the kit, the decoding 

program in included which with one dick will transfer the 
crypted dump into plain text. On opening this program, it is 

necessary to enter password. But if password is incorrect 
that program will dose with a system error message, rather 

than responding with an incorrect password message. This 
is an obvious security feature. Each unit has an individual 

serial number and password. The password is included in 
the full package. It is possible to request that the password 

be communicated online, rather than be included with the 
software and package. 

/ will give couple of working examples of scenarios. If 
someone attempts to open the program and types an 



incorrect 


password, an error message is displayed and the software 
will "crash". It gives the impression that the software is 
simply not working. But if the correct password is entered, 
then it will start. If necessary, it is possible to simple say 
that the software is just something downloaded from the 
Internet, but it does not work, and you forgot to remove it. 

And no specialist will be able to prove what kind of program 
it is. 

The exterior appearance and feel of our devices is built 
based on the original appearance of the ATM machine. 

In other words, if in one instrument incorporates smooth 
lines, and sleek curves, then our device will appear very 
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similar on its exterior housing. It is virtually unnoticeable 
that there has been a modification to the ATM. The paint, 

with which we spray our housings is matched to the paint 
on the original ATMs. Our method of colouring accurately 

reproduces the originals, while maintaining all the 
characteristics of colouring, including varying temperature 

conditions, the angle of incidence of the paint, pressure, 
time of polymerization, etc. 

As such we attained a perfect match of paint, tone of paint, 
reflection, and nuances with the different angles 


of incidence of light, feeling of the surface and so forth. On 
the job, this looks and feels exactly the same as an 

un-modified ATM. AH instruments are powered from Li-on 
batteries. A charger is included in the complete set. Each 

battery is sufficient for 2-3 days of work (at a rated 
temperature of 22 Celsius). We have carried out extensive 
tests to find the maximum quantity of SMS which can be 
sent from one battery. Tests showed that we could send 
1400 SMS 

from one battery without a recharge. The majority of the 
time, the instrument stands in standby mode. Very little 

power is used until the card is inserted or the pinpad is 
pressed, when track data is collected, and pins are 
collected. 

The complete set comes with everything you need to run a 
full operation. However, the batteries need to be 

fully charged and recharged. This means that it is necessary 
to give 2-3 complete cycles of charging and discharging. 

This makes possible for battery to work longer. As a rule by 
this "warming-up" of the batteries an increase of the length 
of time they will operate will increase by 30-40 %. 

Again we stress that we are moving ahead, and developing 
more advanced devices. The current range for sale has 

been extensively tested and proven as a reliable kit. 

USB Flash memory skimmers: 



We have a cheaper range of non-GSM skimming kit for sale. 
This is mostly bought by new users, as experienced, 

wealthy crews will be using the more modern GSM 
skimmers. 

Our range starts with a basic skimmer & hidden camera, pre 
installed inside a discrete case, with flash storage 

and timestamps. Our basic skimmers are just as discrete 
and physically sound as our expensive GSM kit. They 
contain 

a 512 mb flash card, and a ROM chip with tiny card writer to 
record the info to the micro sd card. These kits come 

with an MSR206 and a multi card reader to retrieve the 
dumps + pins from both devices. 
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If you already own an MSR206, it can be removed from the 
package and a small discount can be given. 

Pinpad info 

Basic features of our pin pads are: 

1. Ultra thin, around 3mm and it looks slimmer because of 
some design tricks 

2. Real Stainless-Steel Material Frame and the keys 

3. Exact same size as the actual ATM's pinpad 

4. Special plated Frame and Keys that does not hold any 


Fingerprints well 

5. Ultra low power consumption 

6. Various languages supported 
222 


£ 


Technical Information on Charging and 
Communicating: 

As usual, you may charge your pinpad through the USB 
communication cable. Charging is automatic, when you plug 

the cable into the pinpad, it will start charging. You can 
communicate with the pinpad while charging. You should 

charge your pinpad for a minimum 2 hours before 
operation. Try to use a USB Port on a Desktop Computer 
instead of 

a Laptop or USB hub. If u need to use a laptop then make 
sure you are using laptop with its power adapter connected, 

otherwise you will try to charge pin pads Battery with 
laptop's battery and this will result in poor charging. 
Remember, 

you have to check date and time of your pinpad and adjust 
it if needed before operation. Setting the date/time is very 

easy using the software provided. 

There are some limits on USB Charging. USB Charging is 
good if your skimming operation last 12-16 hours. If 


you require your pin pad to last longer then you have to buy 
Lithium-Polymer(Li-Po) 3.7v Generic charger for charging 

the battery of your pinpad. We can include this with the full 
kit for an extra cost. You may contact to us if you bought a 
Li-Po charger and want to use it with your pinpad. 

You must be extremely careful when plugging the cable into 
the pinpad! There was not enough space in the 

pinpad for us to place a generic USB socket that eliminates 
user mistakes when plugging in the cable. We used plain 

socket that allows user to plug cable in any 
direction/position. If you plug the cable in the wrong 
direction/position 

then your pinpad electronics may be damaged. There also a 
risk to your battery. So pay special attention when 

plugging the cable into your pinpad for data transfer and/or 
charging. Check the picture below for concise instructions 

on how to plug the cable into your pinpad. 

Follow these steps for easy plugging: 

1. Identify the Red Wire on the cable's socket 

2. Identify the Red Wire on pinpads Socket 

3. Red wire of pinpads socket should always be near the 
Crystal, and should join with the other red wire. 
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4. Then plug it like this: 

Information on Installing and Removing to/from ATM: 

You should use transparent fast glues for glue your Pinpad. 
You have to be very careful on NOT TO GLUE the 

Membrane of your Pinpad. You only need to glue the back of 
the frame of the Pinpad, only places where it touches 

the ATM. Again, no membrane or keys!!! You should use 2 
holes designed for removing Pinpad from the ATM. You 

may use a small screwdriver or knife or similar. 

You have to be very careful when removing the pinpad from 
the ATM. You should not damage membrane of 

the pinpad when using screwdriver or knife to remove it. 
Several practice attempts, on a flat surface are recom¬ 
mended. 

You should try with very small amount of glue for your tests 
to see and understand how it sticks. Then you 

should decide what amount of glue will be used when you 
are on the job. Your tests are the key to your success. Test 

your skimmer on the ATM with no Glue/Less Glue etc. for 
experience. Never start to skimming before feeling you 

understand all the logic. 

Our Software Description 

To work with a skimmer, a computer is necessary of course. 
You need to save your dumps (card data tracks) there! We 



will provide you with software, which can completely control 
your skimmer. Using this software, you can download 

dumps from skimmer/input them from SMS, remove them 
from skimmer unit, etc. 

The program saves everything in crypted form. So that you 
don't have to worry about being ripped off. No 

one will be able to retrieve your data without the password. 
The password is included in the complete package, or can 

be sent separately online for security purposes. Each 
skimmer is basically a small computer, with a processor, 
flash 
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storage, the internals of a SE850i mobile(cellular/GSM) 
phone, through which it sends info, and it has an EEPROM 

chip which boots up and operates the unit. So that takes 
care of software and passwords. Software is supplied in 

the complete set with the equipment directly to the buyer, 
even if transaction is done through some mediator, and 

passwords are given only to the buyer. We make so that the 
mediator cannot obtain both the software and the 

passwords. 

The program does not show dumps on the screen. Also it 
does not preserve dumps in the open form. With the 


retention they are ciphered by a serious key At the start of 
program it will request your password. But if password is 

introduced incorrect that it simply doses down and prints a 
system error on the screen. This creates the impression 

that the program is simply nonworking. And if you will not 
input the correct password, there's no way to even 

know what kind of program it is. This was created so that 
non-criticai people with an attempt at the start would 

not attempt to select password. Let's just say suddenly, the 
police get the laptop, on which the program is installed. 

Naturally, they will ask you about the password. If you are 
creative, you will give them a fake password, which they 

enter it, and the program will simply shut down and writes 
that an error occurred. This will give the impression that 

the program is non working. And you can boldly tell that the 
"program never worked, and / just forgot to delete it". 

The dumps are stored in an encrypted file, which it is not 
possible to decrypt. There will be no evidence left on your 

computer, once the police do not get a hold of the 
password. 

The software itself is easy to use. There is no extra options 
or excess instructions. It is self explanatory, but 

full instructions are included with the full kit. If you have 
any other questions we will try our best to answer them 

from our administration team or our software developers. 
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Safety: 

We are often asked questions about safety when we are 
working with skimmers. On this page, I will try to give some 

good safety advice for cashing out and operating a 
successful skimming operation. 

Observation: 

It is recommended to observe the target ATM, unobtrusively 
for 1-2 days before hand. Record at what times the ATM is 

busy, what times it is quiet, and at what time it is serviced 
and money is put into the machine, if it is a free standing 
unit. 

Equipment preparation: 

It is recommended to check ail your equipment before the 
installation. Make sure that you have practised with some 

dummy ATM cards before hand and have transferred your 
own ATM card, or similar into track data, SMS, decrypt, 

and write to a "white card" with your MSR206 card writer. 
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Work for the fitter/installer: 


The installer must be good with their hands. They must 
accurately and rapidly carry out his work, and quietly leave 

the area. Some crews will have their fitter dress up in a 
uniform to make them appear to be servicing the ATM. This 

is not such a good idea. Just go to the ATM when it is quiet. 
Perhaps have an assistant stand a distance away, to 

distract passers-by or other users of the ATM. The whole 
process can take less than 30 seconds. 

Operation of the device: 

Place, and the time of the installation should be selected 
beforehand. An observation point might be necessary. 

There should be somewhere to safely park your car from 
which to observe the operation of the skimmer and pin pad. 

if you are waiting in a car, it is not recommended that you 
have a laptop + msr + phone receiving and writing the 

data. If the operation is busted in this manner, you lose 
everything. However, if you are at home, you will have at 

least several hours in which to write the cards and cash 
them out. Your observation person should have enough 
food, 

water, etc to last in the car for the complete duration of the 
operation if possible. One plan that some crews use now 

is observation from an apartment or hotel close to the ATM. 
With this, you can cut down on the number of your crew. 


But be careful use fake identification if you can. 



Full details of the installation are described with pictures in 
a series of PDF files included on the software and 

instructions DVD. The fitter/installer should put a card into 
the machine and reject it quickly when fitting. The receiver 
working on the "home" computer, will receive the track, and 
confirm that it stuck on properly. 99 % of the time, it sticks 
no problem. This is also useful to find that the card is 
ejecting properly. 
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When removing equipment, your crew should be trained 
and ready. Some crews do not risk withdrawing equipment 

as the average 1-day run will net $20,000- $50,000 USD 
depending on where you are. Flow ever if you are confident 

about removing it, you should take it to run the operation 
again. If apprehended while removing the equipment, the 

remover should protest innocence. They should say that 
they saw something suspicious, and were trying to take it 

off the ATM to being to police/bank. The crew member 
should look and act like a respectable citizen. You do not 

need a crew of thugs for this operation. You need a well- 
spoken, relaxed, confident team. It can be done with just 2 

people, but 3 is recommended. Observing the guy removing 
the kit is a good idea, and walkie-talkies are useful, if 

the observer sees someone approaching the removal guy, 
he should "squak" his walkie-talkie, and the remover can 
disappear quickly. 
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Cashing out the money: 

On many ATMs, there is a monitoring camera. Cameras are 
usually motion activated. We advise that you do not stay 

at one ATM more than 5 minutes, and do not tie up an ATM 
if there are people in the queue. Do not always cash out 

at an ATM belonging to one single bank, nor should you 
ever cash out your cards on the ATM that you skimmed 
them 

on. 
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Many crews will have several people working on cashing 
out, and they work 10 cards per person per time, ail 

returning the money to the controller periodically. If you are 
cashing out at night at a quiet ATM, having hoods up is 

a good idea to prevent the camera from seeing you. That's 
just about everything you need to know to operate a safe, 

extremely lucrative ATM skimming business. 
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The Kit includes a software dvd (with full instructions), 
M5R206, Skimmer + Pinpad, and encryption key to decode 


dumps which are encrypted on the devices. Note: Only 
skimmed tracks are encrypted, pins are not encrypted. 
Rental 

Schemes are available, where we keep the encryption key 
for the 1st operation of the skimmer, and provide you with 

20 unencrypted dumps + pins. This rental scheme costs 
€1400 for USB kits, and €2200 for GSM kits. 

My initial discovery of this cybercrime-friendly market 
proposition, coincides with the publication of a related 

post back in 2008, for the first time ever publicly disclosing 
important details regarding the emergence of [3]ATM 

Skimmers with built-in GSM modules. 

Nowadays, these are everyday reality. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5]on Twitter. 

1. http://ddanchev.blo as pot.com/2008/Q8/facebook- 
malware-campai a ns-rotatin a .html 

2. http://www.bothunter.net/live/2011-10-15/index.html 

3. http://www.zdnet.com/blo a /securitv/scammers-introduce- 
atm-skimmers-with-built-in-sms-notificati on/2 000 

4. http://ddanchev.blo as pot.com/ 

5. http://twitter.com/danchodanchev 
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Historical OSINT - Profiling an OPSEC-Unaware 
Vendor of GSM/USB ATM Skimmers and Pinpads 

( 2013 - 01-05 20 : 42 ) 

On daily basis, I profile over a dozen of newly advertised 
(verified) vendors of ATM skimmers, indicating that this 

market segment is still quite successful, thanks to the 
overall demand for these 'tools-of-the-trade', allowing 
potential 

cybercriminals to enter the world of ATM skimming. 

In this post part of the "Historical OSINT" series, I'll profile 
the underground market proposition of a vendor 

of GSM/USB ATM Skimmers and Pinpads, that appeared on 
my radar back in 2008, with an emphasis on the lack 

of OPSEC (Operational Security) applied by them, and the IP 
hosting changes of their main domain that took place 

throughout 2008, in particular, offer evidence of active 
multi-tasking on behalf of the same gang of cybercriminals. 

What's particularly interesting about this vendor is the fact 
that, instead of advertising across popular and 

well known cybercrime-friendly Web communities, they 
themselves created a community around the market 

proposition, and started pitching their offer across the 
public Web, a clear indication for a lack of OPSEC 
(Operational 


Security) awareness. 



On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) 
was registered using the alsaleh@gawab.com email. 

On 2009-01-07, the registration email changed to 
blanerds@hushmail.com. These emails are not known to 
have 

been used in previous cybercrime-friendly campaigns. 

Throughout 2008, the darkforum.net domain constantly 
changed IPs. The following is a complete list of the 

IP changes: 

64.74.96.241 

69.64.145.229 - IP already profiled in a [l]previously 
published analysis 

63.251.92.197 
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216.8.177.23 

69.25.142.57 

208.73.212.12 

87.242.73.96 - known [2]C &C server 
64.208.225.139 

The advertised brochure of the vendor: 

Overview of the technology involved: Here is how it ail 
works. 


Full operating instructions are included with the entire 
package, this page is here for informative purposes. The 
Card 

Reader reads ATM & credit cards and sends the data tracks 
through SMS to a phone. The pin-pad catches the pushing 

of the pin number through the keypad and also sends the 
data through SMS. 

SMS data comes to a programmable mobile phone number, 
which you will set to a safe number of yours. It is 

advised to connect your phone to a computer, and 
download the track data to your computer as it arrives. 

After 

every 2 message track+pin combo, an SMS is sent from 
each GSM device with a status update. From your computer, 

you can keep track of the whole operation. 

The GSM Kit comes with an MSR206 device and track 
writing software. From your computer, you retrieve the track 

data and pin numbers from SMS messages, and then write 
the tracks to swipe cards with the cloned ATM/Credit 

cards, you simply use the pin to cash them out at ATM 
machines. 

Receiving: 

Received Data on the computer is encrypted. For the 
decryption, there is a separate program, which is included 
on 



the software DVD. Decrypted data is then ready to be 
written on cards. 

Thus we have a secure working environment. None of your 
cashiers or crew can get the unencrypted data. 
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Only the user of the software, who controls the operation. 
This kit is built on brand new technology. We have put 

a lot of time and money into the development and design. 
As a result, this is currently the most efficient method of 

retrieving dumps and pins. 

for example the first skimmers were used with a camera, 
and on the given moment of skimmer it works with 

the transmission of data on network GSM, with the sending 
SMS or with the subtraction of data after calling it. In this 

case the complete reliability of the work of equipment, 
checked by time and experience of many people. For 
example 

now we use the multilayer printed-circuit boards, similar, as 
are used in the laptop computers or mob telephones, 

with the silver contacts and the working from the oxidation 
although previously they were altogether only old boards. 

Now for the size decrease is necessary to proceed with 
decent expenditures in order to decrease the sizes and in 
this 


case to increase reliability. 

Our skimmers were actually originally developed for 
personal use, not for sale. They were designed with the 

most robust, smallest and most efficient parts at each stage 
of the building process. 

Why small? Well, it is better to have a small unit, that fits 
discretely onto the ATM machine. Why GSM? Because it 

is possible to receive SMS at from a remote location. 

Nobody has ever been caught by police with a GSM 
skimmer, 

to the best of our knowledge. Each day our team is working 
on the development of newer and newer technologies. 

From time to time we apply our improvements to our range 
of products. Thus we from time to time change to new 

designs of housings; we improve the capability of batteries, 
or the switching system. For example, the new version of 

our software has some improvements over previous 
versions and is regularly updated. Usually clients send on 
their 

feature requests and we are frequently building them into 
our newest kits. 
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Our skimmers can read a change in the rate of card 
conduction. For example, if we insert the card slowly, and 


then accelerate it, our magnetic strip reader will read and 
correct this. We read both tracks info from both sides 

of the strip. We read reliably, with a 99.9 % correct rate of 
reading. Sending of SMS occurs from the internal 

components of two Sony Ericsson 850i units. The batteries, 
visible in some of the pictures are from Motorola 

phones. The internal circuitry of the phones is connected to 
a digital circuit and chip which receive the informa¬ 
tion from the pinpad and magnetic reader, respectfully. You 
will need 3 sim cards, pre-paid is recommended. Each 

reading sends 4 SMS messages, 1 with the track 
information, 1 with the pin, and 1 from each unit with a 
status update. 

On each sim card, you will have to save the phone number 
of your home mobile phone's sim card under the 

name "home". The internal circuitry and interface with the 
SE850i unit will look to this number to send both the track 
data and the pin numbers. 

The internal processing chip encrypts the data before 
sending sms to the computer. In the kit, the decoding 

program in included which with one click will transfer the 
crypted dump into plain text. On opening this program, it is 

necessary to enter password. But if password is incorrect 
that program will dose with a system error message, rather 

than responding with an incorrect password message. This 
is an obvious security feature. Each unit has an individual 



serial number and password. The password is included in 
the full package. It is possible to request that the password 

be communicated online, rather than be included with the 
software and package. 

/ will give couple of working examples of scenarios. If 
someone attempts to open the program and types an 
incorrect 

password, an error message is displayed and the software 
will "crash". It gives the impression that the software is 
simply not working. But if the correct password is entered, 
then it will start. If necessary, it is possible to simple say 
that the software is just something downloaded from the 
Internet, but it does not work, and you forgot to remove it. 

And no specialist will be able to prove what kind of program 
it is. 

The exterior appearance and feel of our devices is built 
based on the original appearance of the ATM machine. 

In other words, if in one instrument incorporates smooth 
lines, and sleek curves, then our device will appear very 
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similar on its exterior housing. It is virtually unnoticeable 
that there has been a modification to the ATM. The paint, 

with which we spray our housings is matched to the paint 
on the original ATMs. Our method of colouring accurately 

reproduces the originals, while maintaining all the 
characteristics of colouring, including varying temperature 


conditions, the angle of incidence of the paint, pressure, 
time of polymerization, etc. 

As such we attained a perfect match of paint, tone of paint, 
reflection, and nuances with the different angles 

of incidence of light, feeling of the surface and so forth. On 
the job, this looks and feels exactly the same as an 

un-modified ATM. AH instruments are powered from Li-on 
batteries. A charger is included in the complete set. Each 

battery is sufficient for 2-3 days of work (at a rated 
temperature of 22 Celsius). We have carried out extensive 
tests to find the maximum quantity of SMS which can be 
sent from one battery. Tests showed that we could send 
1400 SMS 

from one battery without a recharge. The majority of the 
time, the instrument stands in standby mode. Very little 

power is used until the card is inserted or the pinpad is 
pressed, when track data is collected, and pins are 
collected. 

The complete set comes with everything you need to run a 
full operation. However, the batteries need to be 

fully charged and recharged. This means that it is necessary 
to give 2-3 complete cycles of charging and discharging. 

This makes possible for battery to work longer. As a rule by 
this "warming-up" of the batteries an increase of the length 
of time they will operate will increase by 30-40 %. 

Again we stress that we are moving ahead, and developing 
more advanced devices. The current range for sale has 



been extensively tested and proven as a reliable kit. 

USB Flash memory skimmers: 

We have a cheaper range of non-GSM skimming kit for sale. 
This is mostly bought by new users, as experienced, 

wealthy crews will be using the more modern GSM 
skimmers. 

Our range starts with a basic skimmer & hidden camera, pre 
installed inside a discrete case, with flash storage 

and timestamps. Our basic skimmers are just as discrete 
and physically sound as our expensive GSM kit. They 
contain 

a 512 mb flash card, and a ROM chip with tiny card writer to 
record the info to the micro sd card. These kits come 

with an MSR206 and a multi card reader to retrieve the 
dumps + pins from both devices. 
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If you already own an MSR206, it can be removed from the 
package and a small discount can be given. 

Pin pad info 

Basic features of our pin pads are: 

1. Ultra thin, around 3mm and it looks slimmer because of 
some design tricks 

2. Real Stainless-Steel Materia! Frame and the keys 


3. Exact same size as the actual ATM's pinpad 

4. Special plated Frame and Keys that does not hold any 
Fingerprints well 

5. Ultra low power consumption 

6. Various languages supported 
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Technical Information on Charging and 
Comm unica ting: 

As usual, you may charge your pinpad through the USB 
communication cable. Charging is automatic, when you plug 

the cable into the pinpad, it will start charging. You can 
communicate with the pinpad while charging. You should 

charge your pinpad for a minimum 2 hours before 
operation. Try to use a USB Port on a Desktop Computer 
instead of 

a Laptop or USB hub. If u need to use a laptop then make 
sure you are using laptop with its power adapter connected, 

otherwise you will try to charge pin pads Battery with 
laptop's battery and this will result in poor charging. 
Remember, 

you have to check date and time of your pinpad and adjust 
it if needed before operation. Setting the date/time is very 

easy using the software provided. 


There are some limits on USB Charging. USB Charging is 
good if your skimming operation last 12-16 hours. If 

you require your pin pad to last longer then you have to buy 
Lithium-Polymer(Li-Po) 3.7v Generic charger for charging 

the battery of your pinpad. We can include this with the full 
kit for an extra cost. You may contact to us if you bought a 
Li-Po charger and want to use it with your pinpad. 

You must be extremely careful when plugging the cable into 
the pinpad! There was not enough space in the 

pinpad for us to place a generic USB socket that eliminates 
user mistakes when plugging in the cable. We used plain 

socket that allows user to plug cable in any 
direction/position. If you plug the cable in the wrong 
direction/position 

then your pinpad electronics may be damaged. There also a 
risk to your battery. So pay special attention when 

plugging the cable into your pinpad for data transfer and/or 
charging. Check the picture below for concise instructions 

on how to plug the cable into your pinpad. 

Follow these steps for easy plugging: 

1. Identify the Red Wire on the cable's socket 

2. Identify the Red Wire on pinpads Socket 

3. Red wire of pinpads socket should always be near the 
Crystal, and should join with the other red wire. 
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4. Then plug it like this: 

Information on Installing and Removing to/from ATM: 

You should use transparent fast glues for glue your Pinpad. 
You have to be very careful on NOT TO GLUE the 

Membrane of your Pinpad. You only need to glue the back of 
the frame of the Pinpad, only places where it touches 

the ATM. Again, no membrane or keys!!! You should use 2 
holes designed for removing Pinpad from the ATM. You 

may use a small screwdriver or knife or similar. 

You have to be very careful when removing the pinpad from 
the ATM. You should not damage membrane of 

the pinpad when using screwdriver or knife to remove it. 
Several practice attempts, on a fiat surface are recom¬ 
mended. 

You should try with very small amount of glue for your tests 
to see and understand how it sticks. Then you 

should decide what amount of glue will be used when you 
are on the job. Your tests are the key to your success. Test 

your skimmer on the ATM with no Glue/Less Glue etc. for 
experience. Never start to skimming before feeling you 

understand ail the logic. 

Our Software Description 


To work with a skimmer, a computer is necessary of course. 
You need to save your dumps (card data tracks) there! We 

will provide you with software, which can completely control 
your skimmer. Using this software, you can download 

dumps from skimmer/input them from SMS, remove them 
from skimmer unit, etc. 

The program saves everything in crypted form. So that you 
don't have to worry about being ripped off. No 

one will be able to retrieve your data without the password. 
The password is included in the complete package, or can 

be sent separately online for security purposes. Each 
skimmer is basically a small computer, with a processor, 
flash 
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storage, the internals of a SE850i mobile(cellular/GSM) 
phone, through which it sends info, and it has an EEPROM 

chip which boots up and operates the unit. So that takes 
care of software and passwords. Software is supplied in 

the complete set with the equipment directly to the buyer, 
even if transaction is done through some mediator, and 

passwords are given only to the buyer. We make so that the 
mediator cannot obtain both the software and the 


passwords. 


The program does not show dumps on the screen. Also it 
does not preserve dumps in the open form. With the 

retention they are ciphered by a serious key. At the start of 
program it will request your password. But if password is 

introduced incorrect that it simply doses down and prints a 
system error on the screen. This creates the impression 

that the program is simply nonworking. And if you will not 
input the correct password, there's no way to even 

know what kind of program it is. This was created so that 
non-critical people with an attempt at the start would 

not attempt to select password. Let's just say suddenly, the 
police get the laptop, on which the program is installed. 

Naturally, they will ask you about the password, if you are 
creative, you will give them a fake password, which they 

enter it, and the program will simply shut down and writes 
that an error occurred. This will give the impression that 

the program is non working. And you can boldly tell that the 
"program never worked, and I just forgot to delete it". 

The dumps are stored in an encrypted file, which it is not 
possible to decrypt. There will be no evidence left on your 

computer, once the police do not get a hold of the 
password. 

The software itself is easy to use. There is no extra options 
or excess instructions. It is self explanatory, but 

full instructions are included with the full kit. if you have 
any other questions we will try our best to answer them 



from our administration team or our software developers. 
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Safety: 

We are often asked questions about safety when we are 
working with skimmers. On this page, I will try to give some 

good safety advice for cashing out and operating a 
successful skimming operation. 

Observation: 

It is recommended to observe the target ATM, unobtrusively 
for 1-2 days before hand. Record at what times the ATM is 

busy, what times it is quiet, and at what time it is serviced 
and money is put into the machine, if it is a free standing 
unit. 

Equipment preparation: 

It is recommended to check all your equipment before the 
installation. Make sure that you have practised with some 

dummy ATM cards before hand and have transferred your 
own ATM card, or similar into track data, SMS, decrypt, 

and write to a "white card" with your MSR206 card writer. 
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Work for the fitter/installer: 


The installer must be good with their hands. They must 
accurately and rapidly carry out his work, and quietly leave 

the area. Some crews will have their fitter dress up in a 
uniform to make them appear to be servicing the ATM. This 

is not such a good idea. Just go to the ATM when it is quiet. 
Perhaps have an assistant stand a distance away, to 

distract passers-by or other users of the ATM. The whole 
process can take less than 30 seconds. 

Operation of the device: 

Place, and the time of the installation should be selected 
beforehand. An observation point might be necessary. 

There should be somewhere to safely park your car from 
which to observe the operation of the skimmer and pin pad. 

If you are waiting in a car, it is not recommended that you 
have a laptop + msr + phone receiving and writing the 

data. If the operation is busted in this manner, you lose 
everything. However, if you are at home, you will have at 

least several hours in which to write the cards and cash 
them out. Your observation person should have enough 
food, 

water, etc to last in the car for the complete duration of the 
operation if possible. One plan that some crews use now 

is observation from an apartment or hotel close to the ATM. 
With this, you can cut down on the number of your crew. 



But be careful use fake identification if you can. 

Full details of the installation are described with pictures in 
a series of PDF files included on the software and 

instructions DVD. The fitter/installer should put a card into 
the machine and reject it quickly when fitting. The receiver, 
working on the "home" computer, will receive the track, and 
confirm that it stuck on properly. 99 % of the time, it sticks 
no problem. This is also useful to find that the card is 
ejecting properly. 
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When removing equipment, your crew should be trained 
and ready. Some crews do not risk withdrawing equipment 

as the average 1-day run will net $20,000- $50,000 USD 
depending on where you are. Flow ever if you are confident 

about removing it, you should take it to run the operation 
again. If apprehended while removing the equipment, the 

remover should protest innocence. They should say that 
they saw something suspicious, and were trying to take it 

off the ATM to being to police/bank. The crew member 
should look and act like a respectable citizen. You do not 

need a crew of thugs for this operation. You need a well- 
spoken, relaxed, confident team. It can be done with just 2 

people, but 3 is recommended. Observing the guy removing 
the kit is a good idea, and walkie-talkies are useful. If 


the observer sees someone approaching the removal guy, 
he should "squak" his walkie-talkie, and the remover can 
disappear quickly. 
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Cashing out the money: 

On many ATMs, there is a monitoring camera. Cameras are 
usually motion activated. We advise that you do not stay 

at one ATM more than 5 minutes, and do not tie up an ATM 
if there are people in the queue. Do not always cash out 

at an ATM belonging to one single bank, nor should you 
ever cash out your cards on the ATM that you skimmed 
them 

on. 
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Many crews will have several people working on cashing 
out, and they work 10 cards per person per time, ail 

returning the money to the controller periodically. If you are 
cashing out at night at a quiet ATM, having hoods up is 

a good idea to prevent the camera from seeing you. That's 
just about everything you need to know to operate a safe, 

extremely lucrative ATM skimming business. 
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The Kit includes a software dvd (with full instructions), 
M5R206, Skimmer + Pinpad, and encryption key to decode 

dumps which are encrypted on the devices. Note: Only 
skimmed tracks are encrypted, pins are not encrypted. 
Rental 

Schemes are available, where we keep the encryption key 
for the 1st operation of the skimmer, and provide you with 

20 unencrypted dumps + pins. This rental scheme costs 
€1400 for USB kits, and €2200 for GSM kits. 

My initial discovery of this cybercrime-friendly market 
proposition, coincides with the publication of a related 

post back in 2008, for the first time ever publicly disclosing 
important details regarding the emergence of [3]ATM 

Skimmers with built-in GSM modules. 

Nowadays, these are everyday reality. 

Updates will be posted as soon as new developments take 
place. 

1. http://ddanchev.blo as pot.com/2008/Q8/facebook- 
malware-campai a ns-rotatin a .html 

2. http://www.bothunter.net/live/2011-10-15/index.html 

3. http://www.zdnet.com/blo a /securitv/scammers-introduce- 
atm-skimmers-with-built-in-sms-notificati on/2000 












Raw Historical OSINT - Keeping Money Mule 
Recruiters on a Short Leash - Part Twelve (2013-01- 
07 22:56) 

In the following (historical) intelligence brief, I'll provide you 
with some raw domain data of fake companies that are 

known to have attempted to recruit money mules over the 
past 2 years. 

The domains listed here were registered by the same gang 
of cybercriminals that I've been extensively profil¬ 
ing in previous "Keeping Money Mule Recruiters on a Short 
Leash" posts. 

Money mule recruitment domains: 

compassllc-usa. com 
linkllc-uk.com 
very-compllc. com 
click-n-art.com 
infotechgroup-inc. com 
amplitude-groupmain. tw 
magnet-groupinc. cc 
allston-groupsec. cc 
DEVELOP-lNC.COM 


MERCYGROUPNET.NET 



MERCY-INC.COM 


S OLA RISGRO U PI NC. COM 
SOLARISGROUPNET.NET 
JVC-INC.COM 
JVCGROUPNET.NET 
EVOLVINGS YSINC. NET 
ATCANETWORKS. NET 
ATCA-INC.COM 
GALLEOGROUPNET.NET 
GALLEO-INC.COM 
EVOLVINGS YSINC. NET 
EVOLVING-INC.COM 
NETMARKET-INC. COM 
NETMARKETTECH. NET 
INFOTECH-GROUPCO. NET 
INFOTECH-GROUPINC. COM 
INFOTECHGROUP-INC. COM 
BANDS-GROUPSVC. COM 
BANDS-INC.COM 


BANDSGROUP-INC. NET 



BAND5GR0UPNET.CC 


ICT-GROUPCO.COM 
ICT-GROUPSVC.NET 
ICTGROUPINC.COM 
ICTGROUPNET.CC 
GIANT-GROUPCO. NET 
GIANT-GRO U PI NC. COM 
GIANT- GROUPNET. CC 
GIANTGROUPINC. COM 
IMPERIAL-GROUPINC. COM 
IMPERIAL- GROUPSVC. NET 
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IMPERIALGROUPCO. COM 
H05TGR0UP-INC. COM 
HOSTGROUPINC. COM 
HOSTGROUPNET.CC 
HOST-GROUPSVC. NET 
CNLGROUP-INC.CC 
CNLGROUPNET.NET 


CNL-GROUPSVC. COM 



CNL-INC.COM 


bands-groupsvc. com 
bands-inc.com 
bandsgroup-inc. net 
bandsgroupnet. cc 
cnl-groupsvc. com 
cnl-inc.com 
cnlgroup-inc.cc 
cnigroupnet.net 
giant-groupco.net 
giant-groupinc. com 
giant-groupnet. cc 
giantgroupinc. com 
host-groupsvc.net 
hostgroup-inc. com 
hostgroupinc. com 
hostgroupnet.ee 
ict-groupco.com 
ict-groupsvc.net 
ictgroupinc. com 



ictgroupnet.cc 
imperial-groupinc. com 
imperial-groupsvc.net 
imperialgroupco. com 
infotech-groupco. net 
infotech-groupinc. com 
infotechgroup-inc. com 
itcom-groupco. net 
itcom-groupfine. cc 
itcom-groupsvc. com 
itcomgroup-inc. com 
mgm-groupsvc. com 
mgmgroup-inc. net 
mgmgroupinc. com 
mgmgroupnet. cc 
usi-groupinc.net 
usigroup-inc. com 
usigroupinc. com 
usigroupnet.ee 
N0VARI5-GR0UPLLC. TW 



NOVARISGROUPMAIN. TW 


NOVARIS-GROUPORG. CC 
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VITAL-GROUPCO.CC 
VITAL-GROUPCO.TW 
VITAL-GROUPINC.TW 
PERSEUS-GROUPFINE. TW 
PERSEUS-GROUPINC. TW 
PERSEUSGROUPLLC. CC 

Consider going through my previous research into one of 
the most popular 'risk-forwarding' tactic used by cy¬ 
bercriminals, namely, money mule recruitment. 

Related posts on money mule recruitment: 

[1] Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 



[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[8] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[10] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 



[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [21]Dancho 
Danchev's blog. 
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17. http://ddanchev.blo as pot.com/2QQ9/lQ/standardizin a- 
monev-mule-recruitment.html 

18. http://ddanchev.blo as pot.com/2QQ9/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

19. http://ddanchev.blo as pot.com/2QQ8/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 
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Raw Historical OSINT - Keeping Money Mule 
Recruiters on a Short Leash - Part Twelve (2013-01- 

















































07 22:56) 


In the following (historical) intelligence brief, I'll provide you 
with some raw domain data of fake companies that are 

known to have attempted to recruit money mules over the 
past 2 years. 

The domains listed here were registered by the same gang 
of cybercriminals that I've been extensively profil¬ 
ing in previous "Keeping Money Mule Recruiters on a Short 
Leash" posts. 

Money mule recruitment domains: 

compassllc-usa. com 
linkllc-uk.com 
very-compllc. com 
click-n-art.com 
infotechgroup-inc. com 
amplitude-groupmain. tw 
magnet-groupinc. cc 
allston-groupsec. cc 
DEVELOP-INC.COM 
MERCYGROUPNET.NET 


MERCY-INC.COM 



SOLARISGROUPINC. COM 
SOLARISGROUPNET.NET 
JVC-INC.COM 
JVCGROUPNET.NET 
EVOLVINGS YSINC. NET 
ATCANETWORKS. NET 
ATCA-INC.COM 
GALLEOGROUPNET.NET 
CALLEO-INC.COM 
EVOLVINGSYSINC. NET 
EVOLVING-INC.COM 
NETMARKET-INC. COM 
NETMARKETTECH. NET 
INFOTECH-CROUPCO. NET 
INFOTECH-GROUPINC. COM 
INFOTECHGROUP-INC. COM 
BANDS-GROUPSVC. COM 
BANDS-INC.COM 
BANDSGROUP-INC. NET 


BANDSGROUPNET.CC 



ICT-GROUPCO.COM 


ICT-GR0UP5VC.NET 
ICTGROUPINC.COM 
ICTGROUPNET.CC 
GIANT-GROUPCO. NET 
GIANT-GROUPINC. COM 
GIANT-GROUPNET.CC 
GIANTGROUPINC. COM 
IMPERIAL-GROUPINC. COM 
IMPERIAL- GROUPSVC. NET 
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IMPERIALGROUPCO. COM 
HOSTGROUP-INC. COM 
H05TGR0UPINC. COM 
H05TGR0UPNET.CC 
HOST-GROUPSVC. NET 
CNLGROUP-INC.CC 
CNLGROUPNET.NET 
CNL-GROUPSVC. COM 


CNL-INC.COM 



bands-groupsvc. com 
bands-inc.com 
bandsgroup-inc. net 
bandsgroupnet. cc 
cnl-groupsvc. com 
cnl-inc.com 
cnlgroup-inc. cc 
cnigroupnet.net 
giant-groupco.net 
giant-groupinc. com 
giant-groupnet. cc 
giantgroupinc. com 
host-groupsvc.net 
hostgroup-inc. com 
hostgroupinc. com 
hostgroupnet.ee 
ict-groupco.com 
ict-groupsvc.net 
ictgroupinc. com 
ictgroupnet.ee 



imperiai-groupinc. com 
imperial-groupsvc.net 
imperiaigroupco. com 
infotech-groupco. net 
infotech-groupinc. com 
infotechgroup-inc. com 



itcom-groupco. net 
itcom-groupfine. cc 
itcom-groupsvc. com 
itcomgroup-inc. com 
mgm-groupsvc. com 
mgmgroup-inc. net 
mgmgroupinc. com 
mgmgroupnet. cc 
usi-groupinc.net 
usigroup-inc. com 
usigroupinc. com 
usigroupnet.ee 
N0VARI5-GR0UPLLC. 71 / 1 / 
NOVARISGROUPMAIN. TW 
NOVARiS-GROUPORG. CC 
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VITAL-GROUPCO.CC 

VITAL-GROUPCO.TW 


VITAL-GROUPINC. TW 



PERSEUS-GROUPFINE. TW 


PERSEUS-GROUPINC. TW 
PERSEUSGROUPLLC. CC 

Consider going through my previous research into one of the 
most popular 'risk-forwarding' tactic used by cy¬ 
bercriminals, namely, money mule recruitment. 

Related posts on money mule recruitment: 

[1] Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

[2] Keeping Money Mule Recruiters on a Short Leash - Part Ten 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 

Nine 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[6] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 

Five 

[8] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 



[10] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 
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Spamvertised AICPA themed emails 

■ 

serve client-side exploits and malware 

January 9, 2013 - 12:00 am 

***** O 2 votes 

By Dancho Danchev 

Certified Public Accountants (CPAs) are a common target for cybercnmrtais. Throughout 2012, we 
intercepted several campaigns directly targeting CPAs in an attempt to tnck them into clicking on the 
mafccious inks found n the emails. Once they cfcck on any of the links, they're automatically exposed to 
the client-side exploits served by the latest version of the Black Hole Exploit Kit 

In this post, 11 analyze one of the most recently spamvertised campaigns impersonating the American 
Institute of Certified Public Accountants, also known as AICPA. 
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Summarizing Webroot's Threat Blog Posts for 
December (2013-01-09 19:34) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for December, 2012. You can 

subscribe to [2]Webroot f s Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]DIY malicious domain name registering service spotted 
in the wild 

02. [4]Fake 'FedEx Tracking Number' themed emails lead to 
malware 

03. [5]Bogus'Facebook Account Cancellation Request' 
themed emails serve client-side exploits and malware 







04. [6]Malicious 'Security Update for Banking Accounts' 
emails lead to Black Hole Exploit Kit 

05. [7]A peek inside a boutique cybercrime-friendly E-shop - 
part five 

06. [8]Fake 'Flight Reservation Confirmations' themed emails 
lead to Black Hole Exploit Kit 

07. [9]Malicious 'Sendspace File Delivery Notifications' lead 
to Black Hole Exploit Kit 

08. [10]Fake Chase 'Merchant Billing Statement' themed 
emails lead to malware 

09. [ll]Cybercriminals entice potential cybercriminals into 
purchasing bogus credit cards data 

10. [12]Fake 'Change Facebook Color Theme' events lead to 
rogue Chrome extensions 

11. [13]Fake 'Citi Account Alert' themed emails lead to Black 
Hole Exploit Kit 

12. [14]Spamvertised 'Work at Home" scams impersonating 
CNBC spotted in the wild 

13. [15]Pharmaceutical scammers spamvertise YouTube 
themed emails, entice users into purchasing counterfeit 

drugs 

14. [16]Cybercriminals resume spamvertising British Airways 
themed E-ticket receipts, serve malware 

15. [17]Fake 'UPS Delivery Confirmation Failed' themed 
emails lead to Black Hole Exploit Kit 
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16. [18]Webroot's Threat Blog Most Popular Posts for 2012 

This post has been reproduced from [19]Dancho 
Danchev's blog. Follow him [20]on Twitter. 
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Summarizing ZDNet's Zero Day Posts for January 
(2013-02-04 22:38) 

The following is a brief summary of all of my posts at 
[lJZDNet's Zero Day for January, 2013. You can subscribe 
to 

[2]Zero Day's main feed , or follow me on Twitter: 

01. [3]Dutch security researchers dissect the Pobelka botnet 

02. [4]ESPN's ScoreCenter for iOS sends passwords in clear¬ 
text, susceptible to XSS flaw 

03. [5]Report: AutoRun malware infections continue topping 
the charts 

04. [6]Comparative review: Opera leads in browser anti¬ 
phishing protection 

05. [7]ltalian-language page at MSN redirects to Cool Exploit 
Kit, serves ransomware 

06. [8]WordPress releases version 3.5.1, fixes 3 security 
issues 

07. [9]Targeted attack against UAE activist utilizes CVE- 
2013-0422, drops malware 

This post has been reproduced from [lOJDancho 
Danchev's blog. Follow him [ll]on Twitter. 
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Summarizing Webroot's Threat Blog Posts for January 
(2013-02-04 23:14) 

The following is a brief summary of all of my posts at 
[lJWebroot's Threat Blog for January, 2013. You can 
subscribe 

to [2]Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 


01. [3]Spamvertised 'Your Recent eBill from Verizon Wireless' 
themed emails serve client-side exploits and malware 










02. [4]Fake BBB (Better Business Bureau) Notifications lead 
to Black Hole Exploit Kit 

03. [5]'Attention! Changes in the bank reports!' themed 
emails lead to Black Hole Exploit Kit 

04. [6]Fake 'You have made an Ebay purchase' themed 
emails lead to client-side exploits and malware 

05. [7]A peek inside a boutique cybercrime-friendly E-shop - 
part six 

06. [8]Black Hole Exploit Kit author's 'vertical market 
integration' fuels growth in malicious Web activity 

07. [9]Spamvertised AICPA themed emails serve client-side 
exploits and malware 

08. [10]'Please confirm your U.S Airways online registration' 
themed emails lead to Black Hole Exploit Kit 

09. [ll]Malicious DIYJava applet distribution platforms 
going mainstream 

10. [12]Fake 'ADP Speedy Notifications' lead to client-side 
exploits and malware 

11. [13]Cybercriminals release automatic CAPTCHA-solving 
bogus Youtube account generating tool 

12. [14]'Batch Payment File Declined' EFTPS themed emails 
lead to Black Hole Exploit Kit 
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13. [15]Cybercriminals resume spamvertising fake Vodafone 
'A new picture or video message' themed emails, serve 
malware 



14. [16]Leaked DIY malware generating tool spotted in the 
wild 

15. [17]Email hacking for hire going mainstream - part three 

16. [18]Android malware spreads through compromised 
legitimate Web sites 

17. [19]Fake Intuit 'Direct Deposit Service Informer' themed 
emails lead to Black Hole Exploit Kit 

18. [20]Fake Linkedln 'Invitation Notifications' themed 
emails lead to client-side exploits and malware 

19. [21]Novice cybercriminals experiment with DIY 
ransomware tools 

20. [22]Bogus 'Your Paypal Transaction Confirmation' 
themed emails lead to Black Hole Exploit Kit 

21. [23]Fake 'FedEx Online Billing - Invoice Prepared to be 
Paid' themed emails lead to Black Hole Exploit Kit 

22. [24]A peek inside a DIY password stealing malware 

23. [25]Malicious'Facebook Account Cancellation Request" 
themed emails serve client-side exploits and malware 

This post has been reproduced from [26]Dancho 
Danchev's blog. Follow him [27]on Twitter. 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://blo a .webroot.com/2013/01/01/spannvertised-vour- 
recent-ebill-from-verizon-wireless-themed-emails-ser 
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4. http://blo a .webroot.com/2013/01/Q2/fake-bbb-better- 
business-bureau-notifications-lead-to-black-hole-explo 

it-kit/ 

5. http://blo a .webroot.com/2013/01/Q3/attention-chan a es-in- 
the-bank-reports-themed-emails-lead-to-black-hole 

-exploit-kit/ 

6. http://blo a .webroot.com/2013/01/Q4/fake-vou-have-made- 
an-eba v- purchase-themed-emails-lead-to-client-side- 

exploits-and-malware/ 

7. http://blo a .webroot.com/2013/01/Q7/a-peek-inside-a- 
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e/ 

10. http://blo a .webroot.com/2Q13/01/10/please-confirm-vour- 
u-s-airwavs-online-re o istration-themed-emails-lead 

-to-black-hole-exoloit-kit/ 

11. http://blo a .webroot.com/2Q13/01/ll/malicious-di v-i ava- 
ap plet-distribution-platforms- a oin q -mainstream/ 

























































12. http://blo a .webroot.com/2013/01/14/fake-adp-speed v- 
notifications-lead-to-client-side-exploits-and-malware 
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13. http://blo a .webroot.com/2Q13/01/15/cvbercriminals- 
release-automatic-ca otcha-solvin a -bo a us-voutube-account 

-g eneratin a -tool/ 

14. 

http://blo a .webroot.com/2013/01/16/batch- oa vment-file- 

declined-eftps-themed-emails-lead-to-black-hole-e 

x pl oit-kit/ 

15. http://blo a .webroot.com/2013/01/17/cvbercrinninals- 
resume-spamvertisin a -fake-vodafone-a-new-picture-or-vid 

eo-messa a e-themed-emails-serve-malware/ 

16. http://blo a .webroot.com/2Q13/01/18/leaked-div-malware- 
a eneratin a -tool-spotted-in-the-wild/ 

17. http://blo a .webroot.com/2Q13/01/21/email-hackin a -for- 
hire- a oin a -mainstream-part-three/ 

18. http://blo a .webroot.com/2Q13/01/22/android-malware- 
s preads-throu a h-compromised-le a iti mate-web-sites/ 

19. http://blo a .webroot.com/2Q13/01/23/fake-intuit-direct- 
de posit-service-informer-themed-emails-lead-to-blac 

k-hole-exploit-kit/ 

20. http://blo a .webroot.com/2Q13/01/24/fake-linkedin- 
invitation-notifications-themed-emails-lead-to-client-si 



























































de-exoloits-and-malware/ 


21. http://blo a .webroot.com/2Q13/01/25/novice- 
c vbercriminals-ex oeriment-with-div-ransomware-tools/ 

261 

22. http://blo a .webroot.com/2013/01/28/bo a us-vour- pavoal- 
transaction-confirmation-themed-emails-lead-to-black 


-hole-exploit-kit/ 

23. 

http://blo a .webroot.com/2Q13/01/29/fake-fedex-online- 

billin a -invoice-prepared-to-be-paid-themed-emails- 

lead-to-black-hole-exploit-kit/ 

24. http://blo a .webroot.com/2013/01/3Q/a-peek-inside-a-di v- 
password-stealin a -malware/ 

25. http://blo a .webroot.com/2013/01/31/malicious-facebook- 
account-cancellation-reauest-themed-emails-serve-cl 

ient-si de-exoloits-and-malware/ 

26. http://ddanchev.blo as oot.com/ 

27. http://twitter.com/danchodanchev 
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| rna&Haa | ripswc | npasmia | O Hac | KoHTatcrbi | 


GiveMeDB Service 

Mbi npeflCTaBnaeM BaM cepBuc no npoAawe 6a3 ashhux co 
B3noM3HHbix pecypcoB pa3mmHoii TeMaTnKii. y Hac Bbi Bceraa Mox<eTe 
npno6pecTH Heo6xoflHMbiii Maiepiian noA Baiun L\enn Mbi npeAnaraeM 
LunpoKHii accopniMeHT. cpeAn KOToporo npncyTCTByiOT Job/Dating 
/Finance n Apyrne 6a3bi. 

BHiiMaHiie! Mbi He reHepiiM n He cobnpaeM 6a3bi c Be6'a. b HaiueM 
npaiice npncyTCTByioT TonbKO B3noMaHHbie 6a3bi B cnynae Kaioix-nn6o 
coMHeHiiii Mbi BcerAa roTOBbi A0Ka3aTb npiiHaAne>KHOCTb 6a3bi k TOMy 
linn HHOMy pecypcy. 


— BHiiMaHiie! Maiepiianbi cama He npoTHBopenaT 3a«0H0AaTenbCTBy 
Poccnn, dpaH CHF EBponbi n ClilA. Mbi He pacnpocipaHaeM 
oxpaHneMyio 3a«0H0M MH^opMai^Hio. a nmub npeAOCTeperaeM 
BnaAenbi^eB caiiTOB o B03M0>KHbiM npo6neMax b cifiepe 
lIHlJjOpMam'IOHHOH 6e30naCH0CTH. 


"3axoflM thxo, 6epw 
MHoro, yxoflH 6bicTpo" 


Ilpafic: 

• Job Bases 

• Dating Bases 

• Finance Bases 

• Othef Bases 


KOHTaKTbi: 


m 

m 


ICQ: 9348793 - Ru 


ICQ: 5190451 - En 


AAMHHHCTpai^HR GiveMeDB.com 


www.givemadb.oom 


© Copyright 2009 GiveMeDB Service. All rights reserved. 


Historical OSINT - Hacked Databases Offered for Sale 
(2013-02-06 02:03) 

In the wake of the recently announced security breaches at 
the [ljNYTimes, [2]WSJ f and the [3]Washington Post, I 
decided to shed more light on what happens once a database 
gets compromised by Russian cybercriminals, 

compared to (supposedly) Chinese spies, with the idea to 
provide factual evidence that these breaches are just the 








tip of the iceberg. 


In this intelligence brief, I'll profile a service that was 
originally operating throughout the entire 2009, selling 

access to compromised databases of multiple high-trafficked 
Web sites, through the direct compromise of their 

databases, hence, the name of the service - GiveMeDB. 

Primary URL: hxxp://givemedb.com - Email: 
giverems@mail.ru 

Secondary URL: hxxp://shopdb.blogspot.com 
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ICQ: 9348793; 5190451 

During 2009, the domain used to respond to 
83.133.123.228 (LAMBDANET-AS European Backbone of 
LambdaNet), 

it then changed IPs to 74.54.82.209 (THEPLANET-AS - 
ThePlanet.com Internet Services, Inc.). The following domains 

used to respond to the same IP (83.133.123.228), 
pornofotki.com.ua, mail.vipnkvd.ru. What are the 
chances that these IPs are known to have been involved in 
related malicious/cybercrime-friendly activities? Appreciate 
my rhetoric. 

We've got the following [4]MD5: 

6a9bl28545bd095dbbb697756f5586a9 spamming links 
to the same 

(hxxp://83.133.123.228/uksus/?t=3) in particular. 



Cross-checking the second IP (74.54.82.209) across multi¬ 


ple proprietary and public databases, reveals a diversified 
criminal enterprise that's been using it for years. 

The following MD5s are known to have phoned back to the 
same IP (74.54.82.209): 

[5] MD5: d48a7ae9934745964951a704bcc70fe9 

[6] MD5: 4626de911152ae7618c9936d8d258577 

[7] MD5: Ca4b79a33ea6e311eafa59a6c3fffee2 

[8] MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4 

As well as a recent (2011) [9]Palevo C &C activity. Clearly, 
they've been multi-tasking on multiple fronts. 

The structure of propositions is the following: partial URL of 
the hacked Web site, country of the Web site, 

Quantity of records per database, First-time price, Exclusive 
price. The list of affected Web sites is as follows: 
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| rnaa»a* | npaiie | ripaenna | O Hac | KonTaicTti | 


"3axoflH tmxo, 6epM 
MHoro, yxoflH Gbicrpo" 


Hkixce npeACTasneH Ham npaiie. a Hero BK/noneHU HMeioiniiecR a HaminiiH 6a3u ashhux 
c yxa3aHHbix pecypcoa HanpomB Ka*Aoro TOBapa o6o3HaneHO KommecTBo 3annceii b 
6a3e h Ase u,eHbi nepeaa - noHiix<eHHaa paccmnaHHaR Ha npoAaxy 6a3bi rpew nepeui.i 
noKynarenaM. Biopaa - nonHaa qeHa. paccHiiraHHaa Ha 3KCKni03iiBHyio npoAa>Ky 6a3u 
TonbKo BaM 

B u,enax oe3onacHocni mu He yxaauBaeM AOMeHHyto 30Hy b ccunxax Ha 
npeACTaeneHHbie pecypcu. bcio Aononmue/ibHyK) nH(J>opMa4mo Bu Moxere nonyHHib y 
Hamnx support'oB 

BHiiMaHHe! Bee 6a3u npoAaiOTca orpaHnneHHoe HMcno pa3 h yAanmoTcn nocne nx 
npMo6pereHHfl! 

BHHMaHiie! Mu He 3aHHMaeMca cnat.ioi.t m He ncnonb3yeM 6a3bi hh kokhm iihum 
cnoco6oM! 


Pa3Aen - Job Bases (jobseekers): 


Pecypc 

CTpaHa 

KonnnecTBO 
3annceii b 

Bfl 

06ujafl 

UeHa* 

3KCICn»03MBHafl 

LJeHa* 

jobsbazaar.* 

IN 

10 000 

20$ 

60$ 

availablejobs.* 

US 

380 000 

300$ 

900$ 

ecarers.* 

UK 

6 000 

20$ 

60$ 

fecareers* 

UK 

160 000 

150$ 

450$ 

healthmeet.* 

US 

260 000 

200$ 

600$ 

youths.* 

CH 

16 000 

30$ 

90$ 

lobpilot.* 

DE 

38 000 

50$ 

150$ 


Ilpauc: 


• Job Base* 

• Dating Bases 

• Finanoe Bases 

• Othef Bases 


KoHTaKTbi: 

r, 


ICQ 9348793 • Ro 


r 


ICQ 5190451 -En 


Job/CV Databases: 

jobsbazaar. * 
availablejobs.* 
ecarers. * 
fecareers. * 


healthmeet. * 



















youths. * 
job pilot. * 

thecareerengineer. * 
iauk.* 

jobboerse. * 
creativepool.* 
jobsinkent. * 
jobsinthemoney. * 
jobup. * 

rxcareercenter. * 
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thecareerengineer.* 

UK 

130 000 

100$ 

300$ 

iauk* 

UK 

43 000 

50$ 

150$ 

jobboerse.* 

DE 

22 000 

40$ 

120$ 

creativepool* 

UK 

26 000 

40$ 

120$ 

jobsinkent* 

UK 

55 000 

60$ 

180$ 

jobsinthemoney* 

US 

206 000 

200$ 

600$ 

jobup.* 

CH 

45 000 

50$ 

150$ 

careerweb.* 

ZA 

35 000 

40$ 

120$ 

rxcareercenter.* 

US 

16 000 

30$ 

90$ 


3 a3Aen - Dating: 


Pecypc 

CTpaHa 

KOJIMHeCTBO 

3anncen b 
Bfl 

06 iMan 

L|eHa* 

3KCKJ1»03MBHafl 

LJeHa* 

freedating.* 

UK 

120 000 

120$ 

360$ 

singles-bar* 

US 

130 000 

130$ 

390$ 

muenchner- 

singles.* 

DE 

23 000 

40$ 

120$ 

dateclub.* 

UK 

80 000 

80$ 

240$ 

websingles* 

AT 

200 000 

200$ 

600$ 

find-you.* 

DE 

9 000 

20$ 

60$ 

fitness-singles* 

US 

94 000 

90$ 

270$ 

houstonconnect* 

UK 

40 000 

40$ 

120$ 

datingz.* 

US 

12 000 

20$ 

60$ 

loveandfriends.* 

UK 

50 000 

50$ 

150$ 


Dating Databases: 

freed a ting. * 
singles-bar. * 
muenchner-singles. * 


datedub* 

































websingles. * 
find-you. * 
fitness-singles. * 
houstonconnect. * 
datingz.* 
loveandfriends. * 
lovebyrd.* 

266 



lovebyrd.* 

US 

12 000 

20$ 

60$ 

mydatingplacephx* 

US 

15 000 

30$ 

90$ 

cozydating.* 

US 

8 000 

20$ 

60$ 

singletreffen.* 

DE 

230 000 

200$ 

600$ 

datearea.* 

DE 

13 000 

30$ 

90$ 

endless-fantasy* 

DE 

88 000 

90$ 

270$ 


Pa3flen - Finance: 


Pecypc 

CTpaHa 

KOJlMMeCTBO 
3anncefi b 

Bfl 

06uiafl 

MeHa* 

3KCIUlK)3MBHafl 

LJeHa* 

importers* 

US/EU 

200 000 

200$ 

600$ 

money* 

US 

480 000 

400$ 

1200$ 

pcquote* 

US/CA 

130 000 

130$ 

390$ 

investorvillage* 

US 

40 000 

50$ 

150$ 

gurufocus.* 

US 

30 000 

50$ 

150$ 

individual* 

US 

100 000 

100$ 

300$ 

arabianbusiness.* 

Asia 

34 000 

50$ 

150$ 

ecademy.* 

US/EU 

208 000 

200$ 

600$ 


Paa^en - Other: 


Pecypc 

CTpaHa 

KOJlMHeCTBO 
3anncefi b 
Bfl 

06iuan 

MeHa 

3KCKJlKJ3HBHan 

MeHa 

pokersourceonline.* 

US/EU 

100 000 

100$ 

300$ 

wickedcnlnrs * 

UK 

120 000 

8035 

?403i 


mydatingplacephx. * 
cozy dating. * 
singletreffen. * 
datearea* 
endless-fantasy. * 






































Financial Databases: 


importers. * 
money. * 
pcquote. * 
investorvillage. * 
gurufocus. * 
individual. * 
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Pecypc 

CTpaHa 

KOJIMMeCTBO 

3anuceu b 

Bfl 

06man 

LJeHa* 

3KCKJ1 t03MBHan 
UeHa* 

pokersourceonline.* 

US/EU 

100 000 

100$ 

300$ 

wickedcolors.* 

UK 

120 000 

80$ 

240$ 

salespider.* 

US/CA 

150 000 

100$ 

300$ 

busytrade.* 

CN 

175 000 

100$ 

300$ 

funky * 

UK 

80 000 

50$ 

150$ 


’06inaa L^eHa - noHiiiKeHnaa u,eHa paccMuraHHaa Ha npoAaxy 6a3bi ipeM nepebiM 
noKynaTenaM 

’3KCKnt03MBHaa UeHa - noriHaa CTOMMOcib. paccmrraHHaa Ha 3KCKmo3HBHyio npoAaacy 
6a3bi TonbKo Baw 

’CrpaHa He HBnaeTca tomhum aHanoroM aomchhoh 30hw pecypca B tjenax 
6e3onacHOCTH. Mbi He yxa3biBaeM AOMeHHyio 30Hy e ccbinxax Ha npeACTaBneHHbie 
pecypcw 


wwwgivemedb com © Copyright 2009 GiveMeDB Service All rights reserved 


arabianbusiness. * 
ecademy. * 

Other Databases: 

pokersourceonline. * 
wickedcolors. * 
salespider. * 
busytrade. * 


















funky. * 


Purchasing these hacked databases, immediately improves 
the competitiveness of a potential cybercriminal, 

who now has everything he/she needs to launch spam, spear 
phishing, and [10]money mule recruitment campaigns, 

at their disposal. 

For years, novice cybercriminals or unethical competitors 
have been on purposely joining closed cybercrime- 

friendly communities, seeking help in exchange for a 
financial incentive, in obtaining access to a particular 
database, 

or for the "[lljdefacement 11 of a specific Web site. What 
this service proves is that, the model can actually scale to 
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disturbing proportions, offering access to millions of 
compromised database records to virtually anyone who pays 
for them. 

This post has been reproduced from [12]Dancho 
Danchev's blog. Follow him [13]on Twitter. 

1 . 

http://www.nvtimes.com/2013/01/31/technolo a v/chinese- 
hackers-infiltrate-new-vork-times-comouters.html? paa 

ewanted=all& r=0 

2 . 

http://professional.ws i .com/article/SB100014241278873239 

26104578276202952260718.html 












3. 

http://www.wash in a tonpost.com/business/technolo a v/chines 
e-hackers-suspected-in-attack-on-the-posts-comput 

ers/2 013/02/0 l/d5a44fd e-6cb 1-11 e2-bd 36- 

c0fe61a205f6_sto 

4. 

https://www.virustotal.cam/file/131f2f8870071f490baf268fd 

3becc02b8a4dc755b23c3853e04d413a4987f6a/analvsis/ 

5. 

https://www.virustotal.com/file/30a5441a26461e9ffc86187a 

0c2f6574d51d27a52a6188ecbba50cc2345586c9/analvsis/ 

6 . 

https://www.virustotal.com/file/f06867926bcff4641dl308acd 

b7fddflb99f9babaca83bb72e811fl345f8904b/analvsis/ 

7. 

https://www.virustotal.com/file/62e36c696c8bffl5ba6alb58 

774485ca4fl8c704af9410495b4b7d24fe437901/analvsis/ 

8 . 

https://www.virustotal.com/file/99d2cbdee78f7d66d73e7545 

e6e03d0f20f2d731f9911fdd84c4c95f6ddea9b7/analvsis/ 

9. httos://palevotracker.abuse.ch/?ioaddress=74.54.82.209 

10. https://www. a oo a le.com/webh o? 

hl=en&tab=ww&authuser=Q#hl=en&tbo=d&authuser=Q&s 

client= ps v-ab&q=site:ddanchev 

■ blo as pot.com+%22monev+mule%22&oq=site:ddanchev.bl 
ogsp 


11. http://ddanchev.blo as pot.com/2008/Q4/commercial-web- 
site-defacement-tool .html 










































12. http://ddanchev.blo as pot.com/ 

13. http://twitter.com/danchodanchev 
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| PnasHaa | flpaiic | npasuns | O Hac | KoHTaKTw | 


GiveMeDB Service 

Mbi npeACTaBnaeM BaM cepBiic no npoAawe 6aa ashhux co 
B3noM3HHbix pecypcoB pa3nnMHoii TeMaTnKii- y Hac Bbi Bceraa Moweie 
npno6pecTH Heo6xoflHMbiii Maiepiian nofl Baiun L\enn Mbi npeAnaraeM 
LunpoKHii accopTHMeHT. cpeAn KOToporo npncyTCTByiOT Job/Dating 
/Finance n Apyrne 6a3bi. 

BHiiMaHiie! Mbi He reHepiiM m He co6npaeM 6a3bi c Be6'a. b HaiueM 
npafice npncyTCTByioT TonbKO B3noMaHHbie 6a3bi. B cnynae KaKMX-nn6o 
coMHeHiiii Mbi BcerAa roTOBbi A0Ka3aTb npiiHaAne>KHOCTb 6a3bi k TOMy 
linn MHOMy pecypcy. 


— BHiiMaHiie! Maiepiianbi cama He npoTHBopenaT 3aK0H0AaienbCTBy 
Pocchh. CTpaH CHF EBponbi n ClUA. Mbi He pacnpocTpaHaeM 
oxpaHneMyio 33kohom iiH^opMaLjHio. a nrnub npeAOCTeperaeM 
BnaAenbi^eB caiiTOB o B03M0>KHbiM npo6neMax b cijiepe 
HH(})0pMa4H0HH0H 6e30naCH0CTH. 


"3axoflM thxo, 6epn 
MHoro, yxoflH 6bicTpo" 


Ilpafic: 

• Job Bases 

• Dating Bases 

• Finance Bases 

• Othef Bases 


KoHTaKTbi: 


II 

r 


ICQ: 9348793 - Ru 


ICQ: 5190451 - En 


AAMHHHCTpaijMFi GiveMeDB.com 


wwwgivemedboom 


© Copyright 2009 GiveMeDB Service. All rights reserved 


Historical OSINT - Hacked Databases Offered for Sale 
( 2013 - 02-06 02 : 03 ) 

In the wake of the recently announced security breaches at 

the [l]NYTimes, [2]WSJ, and the [3]Washington Post, I 











decided to shed more light on what happens once a database 
gets compromised by Russian cybercriminals, 

compared to (supposedly) Chinese spies, with the idea to 
provide factual evidence that these breaches are just the 

tip of the iceberg. 

In this intelligence brief, I'll profile a service that was 
originally operating throughout the entire 2009, selling 

access to compromised databases of multiple high-trafficked 
Web sites, through the direct compromise of their 

databases, hence, the name of the service - GiveMeDB. 

Primary URL: hxxp://givemedb.com - Email: 
giverems@mail.ru 
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Secondary URL: hxxp://shopdb.blogspot.com 

ICQ: 9348793; 5190451 

During 2009, the domain used to respond to 
83 . 133 . 123.228 (LAMBDANET-AS European Backbone of 
LambdaNet), 

it then changed IPs to 74 . 54 . 82.209 (THEPLANET-AS - 
ThePlanet.com Internet Services, Inc.). The following domains 

used to respond to the same IP ( 83 . 133 . 123 . 228 ), 
pornofotki.com.ua, mail.vipnkvd.ru. What are the 
chances that these IPs are known to have been involved in 
related malicious/cybercrime-friendly activities? Appreciate 
my rhetoric. 



We've got the following [4]MD5: 

6a9bl28545bd095dbbb697756f5586a9 spamming links 
to the same 

(hxxp://83.133.123.228/uksus/?t=3) in particular. 
Cross-checking the second IP (74.54.82.209) across multi¬ 
ple proprietary and public databases, reveals a diversified 
criminal enterprise that's been using it for years. 

The following MD5s are known to have phoned back to the 
same IP (74.54.82.209): 

[5] MD5: d48a7ae9934745964951a704bcc70fe9 

[6] MD5: 4626de911152ae7618c9936d8d258577 

[7] MD5: Ca4b79a33ea6e311eafa59a6c3fffee2 

[8] MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4 

As well as a recent (2011) [9]Palevo C &C activity. Clearly, 
they've been multi-tasking on multiple fronts. 

The structure of propositions is the following: partial URL of 
the hacked Web site, country of the Web site, 

Quantity of records per database, First-time price, Exclusive 
price. The list of affected Web sites is as follows: 
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flpa>ic 


| rnaa»a* | npaiie | ripaenna | O Hac | KonTaicTti | 


"3axoflH tmxo, 6epM 
MHoro, yxoflH Gbicrpo" 


Hkixce npeACTasneH Ham npaiie. a Hero BK/noneHU HMeioiniiecR a HaminiiH 6a3u ashhux 
c yxa3aHHbix pecypcoa HanpomB Ka*Aoro TOBapa o6o3HaneHO KommecTBo 3annceii b 
6a3e h Ase u,eHbi nepeaa - noHiix<eHHaa paccmnaHHaR Ha npoAaxy 6a3bi rpew nepeui.i 
noKynarenaM. Biopaa - nonHaa qeHa. paccHiiraHHaa Ha 3KCKni03iiBHyio npoAa>Ky 6a3u 
TonbKo BaM 

B u,enax oe 3 onacHocni mu He yxaauBaeM AOMeHHyto 30 Hy b ccunxax Ha 
npeACTaeneHHbie pecypcu. bcio Aononmue/ibHyK) nH(J>opMa 4 mo Bu Moxere nonyHHib y 
Hamnx support'oB 

BHiiMaHHe! Bee 6a3u npoAaiOTca orpaHnneHHoe HMcno pa3 h yAanmoTcn nocne nx 
npMo6pereHHfl! 

BHHMaHiie! Mu He 3aHHMaeMca cnat.ioi.t m He ncnonb3yeM 6a3bi hh kokhm iihum 
cnoco6oM! 


Pa3Aen - Job Bases (jobseekers): 


Pecypc 

CTpaHa 

KonnnecTBO 
3annceii b 

Bfl 

06ujafl 

UeHa* 

3KCICn»03MBHafl 

LJeHa* 

jobsbazaar.* 

IN 

10 000 

20$ 

60$ 

availablejobs.* 

US 

380 000 

300$ 

900$ 

ecarers.* 

UK 

6 000 

20$ 

60$ 

fecareers* 

UK 

160 000 

150$ 

450$ 

healthmeet.* 

US 

260 000 

200$ 

600$ 

youths.* 

CH 

16 000 

30$ 

90$ 

lobpilot.* 

DE 

38 000 

50$ 

150$ 


Ilpauc: 


• Job Base* 

• Dating Bases 

• Finanoe Bases 

• Othef Bases 


KoHTaKTbi: 

r, 


ICQ 9348793 • Ro 


r 


ICQ 5190451 -En 


Job/CV Databases: 

jobsbazaar. * 
availablejobs.* 
ecarers. * 
fecareers. * 


healthmeet. * 



















youths. * 
job pilot. * 

thecareerengineer. * 
iauk.* 

jobboerse. * 
creativepool.* 
jobsinkent. * 
jobsinthemoney. * 
jobup. * 

rxcareercenter. * 
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thecareerengineer.* 

UK 

130 000 

100$ 

300$ 

iauk* 

UK 

43 000 

50$ 

150$ 

jobboerse.* 

DE 

22 000 

40$ 

120$ 

creativepool* 

UK 

26 000 

40$ 

120$ 

jobsinkent* 

UK 

55 000 

60$ 

180$ 

jobsinthemoney* 

US 

206 000 

200$ 

600$ 

jobup.* 

CH 

45 000 

50$ 

150$ 

careerweb.* 

ZA 

35 000 

40$ 

120$ 

rxcareercenter.* 

US 

16 000 

30$ 

90$ 


3 a3Aen - Dating: 


Pecypc 

CTpaHa 

KOJIMHeCTBO 

3anncen b 
Bfl 

06iMan 

L|eHa* 

3KCKJ1»03MBHafl 

LJeHa* 

freedating.* 

UK 

120 000 

120$ 

360$ 

singles-bar* 

US 

130 000 

130$ 

390$ 

muenchner- 

singles.* 

DE 

23 000 

40$ 

120$ 

dateclub.* 

UK 

80 000 

80$ 

240$ 

websingles* 

AT 

200 000 

200$ 

600$ 

find-you.* 

DE 

9 000 

20$ 

60$ 

fitness-singles* 

US 

94 000 

90$ 

270$ 

houstonconnect* 

UK 

40 000 

40$ 

120$ 

datingz.* 

US 

12 000 

20$ 

60$ 

loveandfriends.* 

UK 

50 000 

50$ 

150$ 


Dating Databases: 

freed a ting. * 
singles-bar. * 
muenchner-singles. * 


datedub* 

































websingles. * 
find-you. * 
fitness-singles. * 
houstonconnect. * 
datingz.* 
loveandfriends. * 
lovebyrd* 
mydatingplacephx. * 
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lovebyrd.* 

US 

12 000 

20$ 

60$ 

mydatingplacephx* 

US 

15 000 

30$ 

90$ 

cozydating.* 

US 

8 000 

20$ 

60$ 

singletreffen.* 

DE 

230 000 

200$ 

600$ 

datearea.* 

DE 

13 000 

30$ 

90$ 

endless-fantasy* 

DE 

88 000 

90$ 

270$ 


Pa3flen - Finance: 


Pecypc 

CTpaHa 

KOJlMMeCTBO 
3anncefi b 

Bfl 

06man 

MeHa* 

3KCIUlK)3MBHafl 

LJeHa* 

importers* 

US/EU 

200 000 

200$ 

600$ 

money* 

US 

480 000 

400$ 

1200$ 

pcquote* 

US/CA 

130 000 

130$ 

390$ 

investorvillage* 

US 

40 000 

50$ 

150$ 

gurufocus.* 

US 

30 000 

50$ 

150$ 

individual* 

US 

100 000 

100$ 

300$ 

arabianbusiness.* 

Asia 

34 000 

50$ 

150$ 

ecademy.* 

US/EU 

208 000 

200$ 

600$ 


Paa^en - Other: 


Pecypc 

CTpaHa 

KOJlMHeCTBO 
3anncefi b 
Bfl 

06iuan 

MeHa 

3KCKJlKJ3HBHan 

MeHa 

pokersourceonline.* 

US/EU 

100 000 

100$ 

300$ 

wickedcnlnrs * 

UK 

120 000 

80$ 

240$ 


cozy da ting. * 
singletreffen. * 
datearea.* 
endless-fantasy. * 


Financial Databases: 






































importers. * 
money. * 
pcquote. * 
investorvillage. * 
guru focus. * 
individual. * 
arabianbusiness. * 
ecademy. * 
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Pecypc 

CTpaHa 

KOJIMMeCTBO 

3anuceu b 

Bfl 

06man 

LJeHa* 

3KCKJ1 t03MBHan 
UeHa* 

pokersourceonline.* 

US/EU 

100 000 

100$ 

300$ 

wickedcolors.* 

UK 

120 000 

80$ 

240$ 

salespider.* 

US/CA 

150 000 

100$ 

300$ 

busytrade.* 

CN 

175 000 

100$ 

300$ 

funky * 

UK 

80 000 

50$ 

150$ 


*06u^an L^eHa - noHiiiKeHnaa u,eHa paccMuraHHaa Ha npoAaxy 6a3bi ipeM nepebiM 
noKynaTenaM 

’3KCKnt03MBHaa UeHa - noriHaa CTOMMOcib. paccmrraHHaa Ha 3KCKmo3HBHyio npoAaacy 
6a3bi TonbKo Baw 

’CrpaHa He HBnaeTca tomhum aHanoroM aomchhoh 30hw pecypca B tjenax 
6e3onacHOCTH. Mbi He yxa3biBaeM AOMeHHyio 30Hy e ccbinxax Ha npeACTaBneHHbie 
pecypcw 


wwwgivemedb com © Copyright 2009 GiveMeDB Service All rights reserved 


Other Databases: 

pokersourceonline. * 
wickedcolors. * 
salespider. * 
busytrade. * 
funky. * 

Purchasing these hacked databases, immediately improves 
the competitiveness of a potential cybercriminal, 


















who now has everything he/she needs to launch spam, spear 
phishing, and [10]money mule recruitment campaigns, 

at their disposal. 

For years, novice cybercriminals or unethical competitors 
have been on purposely joining closed cybercrime- 

friendly communities, seeking help in exchange for a 
financial incentive, in obtaining access to a particular 
database, 

or for the "[lljdefacement" of a specific Web site. What 
this service proves is that, the model can actually scale to 
disturbing proportions, offering access to millions of 
compromised database records to virtually anyone who pays 

for them. 
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Updates will be posted as soon as new developments take 
place. 

1 . 

http://www.nvtimes.com/2013/01/31/technolo a v/chinese- 
hackers-infjitrate-new-vork-times-computers.html? paa 

ewanted=all& r=Q 

2 . 

http://professional.ws i .com/article/SB100014241278873239 

26104578276202952260718.html 

3. 

http://www.washin a tonpost.com/business/technolo a v/chines 

e-hackers-suspected°in-attack-on-the-posts-comput 



















ers/2 013/02/0 l/d5a44fde-6cbl-lle2-bd36- 

c0fe61a205f6 sto 

4. 

https://www.virustotal.com/file/131f2f8870071f490baf268fd 

3becc02b8a4dc755b23c3853e04d413a4987f6a/analvsis/ 

5. 

https://www.virustotal.com/file/30a5441a26461e9ffc86187a 

0c2f6574d51d27a52a6188ecbba50cc2345586c9/analvsis/ 

6 . 

https://www.virustotal.com/file/f06867926bcff4641dl308acd 

b7fddflb99f9babaca83bb72e811fl345f8904b/analvsis/ 

7. 

https://www.virustotal.com/file/62e36c696c8bffl5ba6alb58 

774485ca4fl8c704af9410495b4b7d24fe437901/analvsis/ 

8 . 

https://www.virustotal.com/file/99d2cbdee78f7d66d73e7545 

e6e03d0f20f2d731f9911fdd84c4c95f6ddea9b7/analvsis/ 

9. https://palevotracker.abuse.ch/?ipaddress^74.54.82.209 

10. https://www. a oo a le.com/webh p? 

hl=en&tab=ww&authuser=Q#hl=en&tbo=d&authuser=0&s 

client= ps v-ab&a = site:ddanchev 

■ blo as pot.com+%22monev+mule%22&oa = site:ddanchev.bl 
ogsp 

11. http://ddanchev.blo as pot.com/2008/Q4/commercial-web- 
site-defacement-tool .html 


276 



































- h!t|>V/^3rtctwortd|piititeiilftp^co«Vaynic-hfcml _ 

• http://oimg.nbcuni.conVb/M/nbougtobal,nbajnetworkbu/l/H.24/sl7651139747017AQB- l&n«t»= l&t - 21%2F !%2F2013%208%3A8%3A55%2(M%2M808 t «-UTF-Mrw»i 
c2 - Onfcm*&t3 - HomeAc-4=N0C.com%7OFront%2OOoortkc6- http%3 A<*WF%2fwww.nbc.com%?F&<8- TV%20Entfrtdinm«fi«c9 - N8C%?0 NHvvchV:&c 10-Front%200oor&cl l-F 
c40 ■ Urxlef ined&v4 3 * http%3 A%2F%2Fwww.nbc.com%2F8<v4S - N0C%2ON«twortAv49 - Onllne&h 1 * T V%20Ent«talnment% 7CNBC%20Netwoc1c% 7CH ont%200oof&h2 - Onlln- 
hp~N&AQ€~l 

• http://oin>g.nbaini.com/b/ss/nba>global,nbcun«twortt)u/l/H.24/sl765113974701?AQB-l&|xa=lriie&vldn=2893234B851D161F^^4OO0O12DCO0f^718AAdh= l&t-21%2F 
%2fviYrtv.abc.com %2F8utc=USO&ch=web&s*fYK=ww^v.abc.com8»events=*v*ftt6&c2=Onlir>e&c3=Hom«&c4=N8C.com%20Ff orrt%200ooc«ic6* hltp%3A%2f%2Fwww.nbccom 
c 12 - N0C%2ON«tworfc%2O%7C%2OFront%2OOo<x&c 13 - N<?v*ftv32 - Home&v36-Frof*%200oor&c40 - Un(frflr>«»v43-http%3A%2f%2Fw*w.nbc com%2f Ikv45 - N0C%2ON<4 
h2*Online%7Cfront%200oor%7CHome%7CNBC.com%20Front%200oor&h3 = wvfYr.nbc.co(n&s= I024x768&c=24&j= 1.7&v=Y&k=Y&biv= 1256&bh=4295&hp=N&AQE = 1 

- http://www.nbcudlg«ala<iops.com/hoste<Vg»o6al.Js 

• Mtp://www.nbcu<tgltalddops.com/hostec|/ls/nbc_coni.Js 

- http://cdn.kn(d.n«</controllag>con5d-Hhr_tggh 

• Mtp://ap*s«fv1ces.krxd.nc</iisef_<fata/s<gmefits/3?pubid*yi983c83 8810 4a66 9ffl81f7349ce9678iectir>ogrdphks’' l&cailbaA’Krux.r>S-_default.kx)sorip_iisefOdta 

-• http://«cure.quontvftve.com/<juant.Js 

• htlp://p<xe<.quoiU»fve.com/p*JC«l;r-386182341;«-^9fJ8k4<SA/x46;fpan-l;fi»-PO-l743895®28 136l462964538;ns-0;ce-l;Je-l;»-1024x768x24;€nc-s;dst-l;«t-l36J 
/;ogl - trtie TV%20N€^vor1c%20Fc^2C<>r1m^me%252<:%2CCKiytJme%20on<f^20la<e%20Nlght%20Te<ev1sioo%20Shows%2t>%2<)fieC%2<X)ffl6al%2CdesCTlpl)oo Offklal%20 
//wvw%252Eabc%252£com/%2Cima9eJittp%3A//www%25?Enbc%252€com/aM^cofe/thmi«/20l2/nbc/ima<)*Vto9^ 

• http://b.«Of dr cti.com/bedcon.jv?cl-2&c2« 1000004&c3>&c4-&cS>&c6-&clS> 

• http://v»aire uv.lmrwod<)w<dr.coni/cgiWn/m7d-ift-503541K8cg-0K<c- lftsi*Mtp%3A//v«vm.nbc.com/ftcp>&t%-compdCt&rnd* 1361462965167 

• fvttp://seaireu^,irnrwof1dwHte.conVcgl-Wn/ml7d-i«-503541h(Vcg-08cc-lfei-Mtp%3A//vw»v.nbc.com/8rp-8its-ccMnpdcl8irrvJ-13614629651678Ja-1 

- http://unwirid»anxom/ztiij.Mml 


Dissecting NBC's Exploits and Malware Serving Web 
Site Compromise (2013-02-21 22:03) 

The web site of the [ljNational Broadcasting Company 
(NBC), NBC.com, is currently compromised, and is redi¬ 
recting tens of thousands of legitimate users to multiple 
exploits serving and malware dropping malicious URLs. 

The campaign appears to have been launched by the same 
gang of cybercriminals that's also been recently in¬ 
volved in impersonating [2]Facebook Inc. and [3]Verizon 
Wireless, in an attempt to trick their users/customers into 
clicking on links found in hundreds of thousands of 
spamvertised emails pretending to come from the 
companies. 

Let's dissect the campaign, expose its structure, the dropped 
malware, and connect the dots on who's behind 

it. 


Observed iFrames in rotation 



hxxp://umaiskhan. com/znzd. html 
hxxp://umaiskhan. com/ztuj. html 
hxxp://priceworldpu blishing. com/ay nk. html 
hxxp://toplineops. com/mtnk. html 
hxxp://moi-npo vye-sploett. com/qqqq/l.php 
hxxp://www. jaylenosgarage. com/trucks/PHP/google.php 
hxxp://nikweinstein. com/cl/google, php 
Observed redirections leading to: 
hxxp://gonullersultani. net/znzd. htm 
hxxp://erabisnis. net/znzd. htm 
hxxp://electricianfortwayne. info/62, html 
hxxp://moi-npo vye-sploett. com/cGeQcO wzl KPI/larktion.php 
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Sample client-side exploitation chain for the first 
campaign: 


hxxp://topHneops. com/mtnk. htm I -> 


hxxp://electricianfortwayne. info/62, h tml - > 
hxxp://electricianfortwayne. info/987. pdf 

Upon successful client-side exploitation, the campaign drops 

[4]MD5: 4e48ddc2a2481f9ff27113e6395160el - 

detected by 7 out of 46 antivirus scanners as Trojan- 
Spy. Wi n3 2.Zbot.jfgj. 

Once executed the sample creates the "Xi3FVnelx M 
Mutex and phones back to: 

hxxp://eastsidetennisassociation. com/i. htm ? 
jzd63FlJyFUfMyyflQ8U9 - 74.220.215.229 


hxxp://en virsoft. com/n. htm ? 
x WasESNrgozQl 3 QNR1 PNCGTGhPAWl 6QJ67Bnj 


174.120.29.2 


Email: 

louis.bouchard@envirsoft.com 

hxxp://beautiesofcanada. com/s. htm ? 
2dlYtfCwTLfFBzTL8TrY7btwJDVszOI 


66.96.145.104 


Email: 


ed- 

dom@yahoo. com 
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<dv dass-’akgn-center‘style*>>eight:0; overflow:Htdden;*> 

<(tv dass-'adverasement ad728x90’> 

<sopttypc-'text /taYascrpt '>doq<ncnt.i«ite fLnescaoe fntocAd728»90.rcolacer728x30.970i<6f. "3 70xS61,ItEisK£('728x90', '970x6<')));</s<rct> 

</dv> 

<M»> 


<A*v> 

</>ect>on> 

< Reader > 
«*v Kj*'9te"> 


'/r.- vniipiryaaE 


cheader <Jass-'9t*'> 

<dv dass-'skler-ccxitaner'x 


<1— Begn: sSdesTww --> 

<dvdass»'stder'> 

«ivdass-'sMes'> 

<dv dass-'s*de’> 

<a href->tm:/Aifflm.nbccom/cocntrx/»tYrt>tle-*Co<r»r>a>tv*><snosrc-'/apo2Ana/defaiJt/sceU <netavetse/ l/2/l/8/7/6fcon' too helfa.ioo' alt-Tnoa Haifa Guest Stars 
< 4 v des>'sMelogg , > 

<a href-Tittp://«w<».rt)C.com/com>ixntY/* We-'Coinnxxiity'xiDg src«3ittp://rmw.nbc.com/app2>ng/default/scet/metaverse/l/D/6/3/l/4/2012.p8lO_DotCom_Corn' 
</drv> 

«*v dass*’side-rifo'> 

<hs dass»'tune<i'>New, Tonght 8/7c<Ai5> 

<ti3 dass-'Mle'xTnoe Hrlfa Guest Stars<Jh3> 

<0 class-'description‘>The study group jonsAbed on a trp to die Inspector Soacctrn e convention. Matt Lucas also guest stars. </p> 

<drv class-Vks*> 

<a href*3ittp://mw.rbc.con)/comrr«rrty/iiX)eo/7apl*tnje' dass-Vfc-orde-arrow'xspen dass-'icons-arrow-t*je-cxde'>i«j*r.; </spans Watch OrSnc</a> 




hxxp://magasin-shop. com/v.htm ? 

ZPIkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143 

hxxp://couche-transport. comlu. com/r. htm ? 

Mb 6kKF3mq5H8 Yxe VXYM9yOwK - 31.170.161.96 

Second 

redirection 

redirection 

chain 

for 

a 

sampled 

iFrame: 

hxxp://moi-npo vye- 

sploett.com/qqqq/l.php -> hxxp://moi-npovye- 
sploett.com/cGeQcOwzlKPI/larktion.php -> hxxp://moi- 
npovye-sploett.com/cGeQcOwzlKPI/aflybing.php? 
esusvity=78528 0 where it attempts to exploit [5]CVE-2010- 
0188. 

Malicious domains reconnaissance: 

umaiskhan.com - 173.254.28.49 - Email: 
chfaisal009@gmail.com - appears to be a compromised site 
belonging to 

someone named "Azhar Mahmood", unless of course you 
want to believe that Pakistan's cyber warfare unit is behind 



the campaign, since this is the second time that I come 
across to this IP. Keep reading! 

priceworldpublishing.com - 174.122.45.74 - Email: 
i nfo@sportsworkout.com 

electricianfortwayne.info - 173.201.92.1 - Email: 
mdkline65@yahoo.com 

gonullersultani.net - 72.167.2.128 - Email: 
gonullersultani@gmail.com 

erabisnis.net - 74.220.207.161 

moi-npovye-sploett.com - 130.185.157.102 - Email: 
josephhaddad829@yahoo.com 

jaylenosgarage.com - 80.239.148.217 

nikweinstein.com - 205.178.145.95 - Email: 
nikweinstein@hotmail.com 

mdkline65@yahoo.com is also known to have 
registered the following domains: 

dedirt, com 

dogsrit. com 

spirituatspice. us 

madamerufus. com 

herbalstatelegal. com 

myauditionsite. com 

injury la wyercle veiand. info 



injury la wyerspringfieldmo. info 
injury!a wyercolumbus. info 
injury la wyerindianapoiis. info 
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Who's behind this campaign and can we connect this 
malicious activities to previously analyzed malicious 
campaigns? 

But, of course. 

umaiskhan.com responds to 173.254.28.49, and on 2013- 
01-28 18:56:19 we know that another domain used 

in a Facebook Inc. themed campaign was also responding to 
the same IP, namely hxxp://shutterstars.com/wp- 

content/plugins/akismet/resume _facebook.html. The 

compromised legitimate host back then used to serve 

client-side exploits through 

hxxp://gotina.net/detects/sign on to resume.php - 

222.238.109.66 - Email: 

iockwr@rocketmaii. com. 

Deja vu! We've already seen and profiled this malicious 
domain in the following assessment M [6]Fake 'You've 

blocked/disabled your Facebook account' themed 
emails serve client-side exploits and malware", 

indicating that 

both of these campaigns have been launched by the same 
cybercriminal/gang of cybercriminals. What's also worth 



emphasizing on is that the same email ( 
lockwr@rocketmail.com) used to register gonita.net was also 
profiled in the 

following assessment M [7]Fake 'Verizon Wireless 
Statement" themed emails lead to Black Hole Exploit 

Kit", where it was used to register the Name Servers used in 
the campaign. 

Someone's multi-tasking. That's for sure. 

This post has been reproduced from [8]Dancho 
Danchev's blog. Follow him [9]on Twitter. 

1. http://en.wikipedia.or g /wiki/NBC 

2. http://blo a .webroot.com/ta a /facebook/ 

3. http://blo a .webroot.com/ta a /verizon/ 

4. 

https://www.virustotal.com/en/file/6b276bee21bf5946461e3 

c62f447 b3 be7179e9cce4742a6 lb2 6417609ed00 lee/anal vs 

Is L 

5. htto://cve.mitre.or a/ca i-bin/cvename.c ai ?nanie=CVE- 
2010-0188 

6. http://blo a .webroot.com/2013/Q2/14/fake-vouve- 
blockeddisabled-vour-facebook-account-themed-emails- 
serve-c 


lient-side-exoloits-and-malware/ 

7. http://blo a .webroot.com/2013/Q2/21/fake-verizon-wireless- 
statement-themed-emails-lead-to-black-hole-explo 




























it-kit / 

8. http://ddanchev.blo as pot.com/ 

9. http://twitter.com/danchodanchev 
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• http://oimg.nbcuni.com/to/tt/nbcuglobal,nbajnetVYorkbu/l/H.24/sl7651139747017AQB- 18n«*»= l&t*21%2Fl%2F?013%2Q8<M53A8%3A55%2CH%2048<)8<e-UTF 8&ns -1 
c2-0nlin*&c3 - Hom<*8c4=NBC.com%20Front%200oo»&c6^Kttp%3A%2F%2fwwYv.nbc.com%2F8c8« TV%20Erttertainm«nt&c<) - NflC%?ONrtwocWkc 10-Fronl%200oof&cl l-f 
c40-Uode6ned8iv43 « http%3 A%2F%2Fwww.nbc.com%2F8v4S - NBC%20N«twortAv49 - Onllne&h 1 * T V%20Entertalnment% 7CNBC%20Networ1c%7CFf ont%200oor&h2 - Onlln- 
hp-NAAQ€-l 

• h^://oin>^nbcuni.coni/b/ss/nba>global,nbcun«twortl)a/l/H.24/sl765113974701?AQe-l&|xa=ln>e&v<dn=2893234B8SlD161F^^4OCK)O12DCO0F9F718t8jvdh= 18d-21%2F 
%2fw»vw.nbc.com %2F8cc=USO&ch=web&s*fYK=vvww.nbc.com&events=eveat6&c2=Online8c3=Hom*8c4=NBC.com%20Ff ont%20Ooor8c6» http%3A%2f%2Fvww.nbccom 
c 12 - N0C%2ON«tworfc%2O%7C%2OFront%2OOo<x8c 13 - New8v32 - Hom«?8v36- Froat%200oor8c40 - Un(frflr>«»v43-h«p%3A%2f%2Fwww.nbc com%2f 8v45 - N0C%2ON<4 
h2 * Onine%7CFf ont%200oor%7CHome%7CNBC.com%20Front%200oof8h3=wwvr.nbccom8s = I024x7688c=248J= 1.7&v=Y8k=Y8bw= 12568bh=429S8h<>=N8AQE = 1 

- http://wMrtv.nbcudlgFtaia<lops.com/boste(Vgio6al.Js 

• http://www.nbcu(>gltatedops.com/host«V|s/nbc_com.Js 

- http://cdn krxd.n«</cootro<<ag ? confid-Hhr_tggh 

• http://apfS«fv1ces.krxd.n«/usef_data/5^gmefits/3?p | Ljt»d-!>4983c83 8810 4att> 9ffl 81f/349ce96/&tect)f>ogfdph>cs- l&cailbdck^KniX.r>s._defdult.kxlsor»p_iisefOata 

- http://«ojre.quantvfTve,com/(}oant.Js 

• http://p^xe<.quant»fve.com/p*JC«l:r-386182341;«-p-9eJ8l:4ISAix46;fpan-l;fiM-P0-l743695828 136l462%4538;ns-0;ce-l;Je"l;»“1024x768Jc24;€nc-s;dst-l;«<-l36J 
/;ogi - Mle TV%20N€^vor1c%20Fc^20Pr1m^me%25K%2CCKiyt)me%20on<fM 3 2a3te%20Nlght%20Te<ev1s*oo%20Shows%2t>%20NeC%200ffldal%2CdesCTlp<loo Offklal%20 
//wvrt*%252Enbc^252Fcom/%2Gmage-http%3A//www%25?Enbc^252FcxOT/as^/cof*/thm)«/2012/n6c/irnA^^ 

• htTp://b.«OffC4fdr«Mfcti.com/bwcon.jv?cl-2&c2* i 1000004&c3»&c4-&c5*&c6-&cl5« 

• http://woir^ us.lmrwoddwidr.com/cgiWn/m7d-in-503541Kacg-08cc- 18sJ«hitti>%3A//vvvm.nbc.com/8fp~8h-comp*ct8md* 1361462965167 

• h«j>://sccurr u«s.imrv>'OflAwle com/cgi bin/ml7d-m-503541h8cg-08cc- 18sJ-http%3A//ww.nbc.com/8ip-8ts-com[xxt&rn<1 -13614629651678j.i- 1 

- http://um<iri»anxom/ztii).Nml 


Dissecting NBC's Exploits and Malware Serving Web 
Site Compromise (2013-02-21 22:03) 

The web site of the [l]National Broadcasting Company 
(NBC), NBC.com, is currently compromised, and is redi¬ 
recting tens of thousands of legitimate users to multiple 
exploits serving and malware dropping malicious URLs. 

The campaign appears to have been launched by the same 
gang of cybercriminals that's also been recently in¬ 
volved in impersonating [2]Facebook Inc. and [3]Verizon 
Wireless, in an attempt to trick their users/customers into 
clicking on links found in hundreds of thousands of 
spamvertised emails pretending to come from the 
companies. 







Let's dissect the campaign, expose its structure, the dropped 
malware, and connect the dots on who's behind 

it. 

Observed iFrames in rotation: 

hxxp://umaiskhan. com/znzd. html 
hxxp://umaiskhan. com/ztuj. html 
hxxp://priceworldpublishing, com/ay nk. html 
hxxp://toplineops. com/mtnk. html 
hxxp://moi-npo vye-sploett. com/qqqq/l.php 
hxxp://www. jaylenosgarage. com/trucks/PHP/google.php 
hxxp://nikweinstein. com/cl/google, php 
Observed redirections leading to: 
hxxp://gonullersultani. net/znzd. htm 
hxxp://erabisnis. net/znzd.htm 
hxxp://electricianfortwayne. info/ 62 .html 
hxxp://moi-npo vye-sploett. com/cGeQcO wzl KPI/larktion.php 
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•dlv 
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Sample client-side exploitation chain for the first 
campaign: 


hxxp://topHneops. com/mtnk. html -> 


hxxp://electricianfortwayne. info/62, h tml - > 
hxxp://electricianfortwayne. info/987. pdf 


Upon successful client-side exploitation, the campaign drops 

[4]MD5: 4e48ddc2a2481f9ff27113e6395160el - 





detected by 7 out of 46 antivirus scanners as Trojan- 
Spy.Win32.Zbot.jfgj. 

Once executed the sample creates the M Xi3FVnelx M 
Mutex and phones back to: 

hxxp://eastsidetennisassociation. com/i. htm ? 
jzd63FlJyFUfMyyflQ8U9 - 74.220.215.229 

hxxp://en virsoft. com/n. htm ? 
x WasESNrgozQl 3QNR1 PNCGTGhPA W16QJ6 7Bnj 

174.120.29.2 

Email: 

louis.bouchard@envirsoft.com 

hxxp://beautiesofcanada. com/s. htm ? 
2dlYtfCwTLfFBzTL8TrY7btwJDVszOI 

66.96.145.104 

Email: 

ed- 

dom@yahoo. com 
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«frv dass-'aksn-center’stYle-TieightiO; overflo«:hidden;"> 

<drv dass-'advertsement ad728x90" > 

cscnpt tvpt-'text/avasgpf >docxn«fH.iwitt (unMcaoe fnl)cAd728»90.f«)lacgr728x90.970i<«f. "970x46"),£Ci3ja3;C?28x90', "970x«")));</Kfpt> 

</dv> 

</drv> 

</dv> 

(/section > 

<i*ieadef> 

«tv id-'9te"> 


(header dass-"9te"> 

<dv dass-‘sider-contaner’> 


<1— Begn: sideshow --> 

<dvdass-"stder"> 

<dvdass-"s*des'> 

<dv dass-'side's 

<a hr ef-‘httD://rnww.nbc.com/commiaWY/' Btle-"Co<w<wtv*>«na src-'/aoo2Ano/defaiit/scet/ <netavetse/ l/2/l/8/7/6/eom too helfer.ioc' alt-7rioa Heifer Guest Stars 
«*v dass-'skSe-wgo's 

<a href-’http://www.rdc.com/commLrity/' title-'ComnxrWy'><®fi src«Tit1p://i«»y*.ntoc.com/app2/mg/defau!t/seet/metaverse/l/0/6/3/l/4/2012_0810_DotCo<n_Comr 
</drv> 

«*v dess*'slde-»ife'> 

<h5 dass »"tune-»i">New, Torxcht 8/7c<^i5> 
eh3 dass -'Me'sTnoe tjdiCt Guest Stars<^i3> 

(pdass-'descrptxm'sThe study group )ons Abed on a trp to the Inspector Soacetme convention. Matt Lucas also guest stars. </p> 

<drv dass- Vfcs’s 

<a href-3>ttp://im«w.nbc.com/comrnL»irtY/«deo/7apl*true' dess-Vk-arde-arrow’s (span dass-Vtons narrow-bkje-orde'sJceasc/spao Watch Onir* </as 

hxxp://magasin-shop. com/v.htm ? 

ZPIkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143 

hxxp://couche-transport. comlu. com/r. htm ? 

Mb 6kKF3mq5H8 Yxe VXYM9yOwK -31.170.161.96 

Second 


redirection 


redirection 


chain 


for 


a 


sampled 

iFrame: 

hxxp://moi-npo i /ye- 





sploett.com/qqqq/l.php -> hxxp://moi-npovye- 
sploett.com/cGeQcOwzlKPI/larktion.php -> hxxp://moi- 
npovye-sploett.com/cGeQcOwzlKPI/aflybing.php? 
esusvity=78528 0 where it attempts to exploit [5]CVE-2010- 
0188. 

Malicious domains reconnaissance: 

umaiskhan.com - 173.254.28.49 - Email: 
chfaisal009@gmail.com - appears to be a compromised site 
belonging to 

someone named "Azhar Mahmood", unless of course you 
want to believe that Pakistan's cyber warfare unit is behind 

the campaign, since this is the second time that I come 
across to this IP. Keep reading! 

priceworldpublishing.com - 174.122.45.74 - Email: 
i nfo@sportsworkout.com 

electricianfortwayne.info - 173.201.92.1 - Email: 
mdkline65@yahoo.com 

gonullersultani.net - 72.167.2.128 - Email: 
gonullersultani@gmail.com 

erabisnis.net - 74.220.207.161 

moi-npovye-sploett.com - 130.185.157.102 - Email: 
josephhaddad829@yahoo.com 

jaylenosgarage.com - 80.239.148.217 

nikweinstein.com - 205.178.145.95 - Email: 
nikweinstein@hotmail.com 



mdkline65@yahoo.com is also known to have 
registered the following domains: 

dedirt, com 

dogsrit. com 

spiritualspice. us 

madamerufus. com 

herbalstatelegal. com 

myauditionsite. com 

injury I a wyercle veiand. info 

injury fa wyerspringfieldmo. info 

injury!a wyercolumbus. info 

injury fa wyerindianapolis. info 
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Who's behind this campaign and can we connect this 
malicious activities to previously analyzed malicious 
campaigns? 

But, of course. 

umaiskhan.com responds to 173.254.28.49, and on 2013- 
01-28 18:56:19 we know that another domain used 

in a Facebook Inc. themed campaign was also responding to 
the same IP, namely hxxp://shutterstars.com/wp- 

content/plugins/akismet/resume _facebook.html. The 

compromised legitimate host back then used to serve 



client-side exploits through 

hxxp://gotina.net/detects/sign on to resume.php - 

222.238.109.66 - Email: 

lockwr@rocketmail. com. 

Deja vu! We've already seen and profiled this malicious 
domain in the following assessment M [6]Fake 'You've 

blocked/disabled your Facebook account' themed 
emails serve client-side exploits and malware", 

indicating that 

both of these campaigns have been launched by the same 
cybercriminal/gang of cybercriminals. What's also worth 

emphasizing on is that the same email ( 
lockwr@rocketmail.com) used to register gonita.net was also 
profiled in the 

following assessment M [7]Fake 'Verizon Wireless 
Statement" themed emails lead to Black Hole Exploit 

Kit", where it was used to register the Name Servers used in 
the campaign. 

Someone's multi-tasking. That's for sure. 

Updates will be posted as soon as new developments take 
place. 

1. http://en.wikipedia.or g /wiki/NBC 

2. http://blo a .webroot.com/ta a /facebook/ 

3. http://blo a .webroot.com/ta a /verizon/ 

4. 

https://www.virustotal.com/en/file/6b276bee21bf5946461e3 












C62f447b3be7179e9cce4742a61b26417609ed00 lee/anal vs 

Is L 

5. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2010-0188 

6. http://blo a .webroot.com/2013/Q2/14/fake-vouve- 
blockeddisabled-vour-facebook-account-themed-emaiis- 
serve-c 


lient-side-exploits-and-malware/ 

7. http://blo a .webroot.com/2013/Q2/21/fake-verizon-wireless- 
statement-themed-emails-lead-to-black-hole-exolo 

it-kit / 
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Recap from RSA2013: Android 
Malware Exposed 

***** O 4 Voles 



Cootiau* rolling — 


On Wednesday February 27th wetxoof threat researchers Grayson Mi bourne 
and Armando Orozco presented at the RSA Conference m San Francisco 
Their topic. Android Mafmaw Exposed - An Irwtopth Loo rt at 4s Evolution, is 
an expansion on their previous years presentation hghkghting tne severity of 
the Android mahnrare growth Focusing on the history of operating system 
reteases and the dversity across the marker as wel at the threat vectors and 
behaviors m the evolution of Android mafcrare, the team has estabkshed strong 
predchons tor 2013 
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How much does.it cost to buy 10,000 
liased malware-infected hosts? 


PMIM 9* rtfutey 2% »13 fry 

***** o 5 Voles 


U.S.- 


By Dancho Danchev 

Earter this month we profiled and eiposed a newly launched underground service offering acceea to tent of 


Summarizing Webroot's Threat Blog Posts for 
February (2013-03-04 15:31) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for February, 2013. You can 
subscribe to [2]Webroot f s Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]Fake Booking.com 'Credit Card was not Accepted' 
themed emails lead to malware 

02. [4]Fake FedEx 'Tracking ID/Tracking Number/Tracking 
Detail' themed emails lead to malware 















03. [5]'Your Kindle e-book Amazon receipt' themed emails 
lead to Black Hole Exploit Kit 

04. [6]New DIY HTTP-based botnet tool spotted in the wild 

05. [7]Mobile spammers release DIY phone number 
harvesting tool 

06. [8]New underground service offers access to thousands 
of malware-infected hosts 

07. [9]Targeted 'phone ring flooding' attacks as a service 
going mainstream 

08. [10]Fake 'You've blocked/disabled your Facebook 
account' themed emails serve client-side exploits and 
malware 

09. [ll]Spamvertised IRS 'Income Tax Refund Turned Down' 
themed emails lead to Black Hole Exploit Kit 

10. [12]Malware propagates through localized Facebook Wall 
posts 

11. [13]Malicious 'RE: Your Wire Transfer' themed emails 
serve client-side exploits and malware 
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12. [14]New underground E-shop offers access to hundreds 
of hacked PayPal accounts 

13. [15]Fake 'Verizon Wireless Statement" themed emails 
lead to Black Hole Exploit Kit 

14. [ 16]DIY malware cryptor as a Web service spotted in the 
wild 



15. [17]Malicious 'Data Processing Service' ACH File ID 
themed emails serve client-side exploits and malware 

16. [18]How mobile spammers verify the validity of 
harvested phone numbers 

17. [19]How much does it cost to buy 10,000 U.S.-based 
malware-infected hosts? 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21 Jon Twitter. 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://blo a .webroot.com/2013/02/01/fake-bookin a -com- 
credit-card-was-not-accepted-themed-emails-lead-to-ma 

I ware/ 

4. http://blo a .webroot.com/2013/02/04/fake-fedex-trackin a- 
idtrackin a -numbertrackin a -detail-themed-emails-lea 

d-to-malware/ 

5. http://blo a .webroot.com/2013/02/05/vour-kindle-e-boQk- 
amazon-receipt-themed-emails-lead-to-black-hol e-ex p 

loit-kit/ 

6. http://blo a .webroot.com/2013/02/06/new-div-http-based- 
botnet-tool-spotted-in-the-wild/ 

7. http://blo a .webroot.com/2013/02/Q7/mobile-spammers- 
release-di v- phone-number-harvestin a -tool/ 



































8. http://blo a .webroot.com/2013/02/12/new-under a round- 
service-offers-access-to-thousands-of-mal ware-infected 


-hosts/ 

9. http://blo a .webroot.com/2013/02/13/tar a eted-phone-rin a 
flood in a -attacks-as-a-service- a oin a -mainstream/ 

10. http://blo a .webroot.com/2013/Q2/14/fake-vouve- 
blockeddisabled-vour-facebook-account-themed-emails- 
serve-c 


lient-side-exoloits-and-malware/ 

11 . 

http://blo a .webroot.com/2013/Q2/15/spamvertised-irs- 

income-tax-refund-turned-down-themed-emails-lead-to 


-black-hole-exploit-kit/ 

12. http://blo a .webroot.com/2013/02/18/malware- 
propaa ates-throu a h-localized-facebook-wall-posts/ 

13. http://blo a .webroot.com/2013/Q2/19/malicious-re-vour- 
wire-transfer-themed-emails-serve-client-si de-ex ploi 

ts-and-malware/ 

14. 

http://blo a .webroot.com/2013/02/2Q/new-under a round-e- 
shop-offers-access-to-hundreds-of-hacked- pav pal-ac 

counts/ 

15. http://blo a .webroot.com/2013/02/21/fake-verizon- 
wireless-statement-themed-emails-lead-to-black-hole-explo 


















































it-kit / 


16. http://blo a .webroot.com/2013/02/22/div-malware- 
crv otor-as-a-web-service-spotted-in-the-wild/ 

17. http://blo a .webroot.com/2013/Q2/25/malicious-data- 
orocessin a -service-ach-file-id-themed-emails-serve-clie 

nt-side-exoloits-and-malware/ 

18. http://blo a .webroot.com/2013/Q2/27/how-mobile- 
s pammers-veri fv-the-val id itv-of-harvested-phone-n umbers/ 

19. http://blo a .webroot.com/2013/02/28/how-much-does-it- 
cost-to-buv-10000-u-s-based-mal ware-infected-hosts/ 

20. http://ddanchev.blo as oot.com/ 

21. http://twitter.com/danchodanchev 
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Dissecting NBC's Late Night with Jimmy Fallon Web 
Site Compromise (2013-03-07 00:52) 

[lJOops, they did it again! 

The official Web site ( 

hxxp://www.latenightwithjimmyfallon.com ) of 
[2]NBC's Late Night With Jimmy Fallon 

is currently [3]compromised/hacked and is automatically 
serving multiple Java exploits to its visitors through a tiny 
iFrame element embedded on the front page. According to 

[4]Google's Safe Browsing Diagnostic page, the same 


malicious iFrame domain that affected the Web site, is also 
known to have affected 15 more domains. 








Let's dissect the campaign, expose the complete domains 
domains portfolio used in the campaign, reproduce 

the malicious payload, and establish a direct connection 
between this campaign, and a series of phishing campaigns 

that appear to have been launched by the same 
cybercriminal/gang of cybercriminals. 

Sample 

client-side 

exploitation 

chain: 

hxxp://20-monkeys-b. com/exp/agencept. php ? 
vialjack=339214 


144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys- 
b. com/exp/tionjett.php 

Although the currently embedded iFrame domain is offline, 
we know that on 2013-03-06 17:02:35 it used to 

respond to 192.154.103.66. We've got several malicious 
domains currently parked at the same IP and respon- 

ing, allowing us to obtain the malicious payload used in the 
campaign affecting NBC's Web site. Upon further 


examination, the obtained malicious PDF used in the 
campaign, also attempts to connect to the initial iFrame do- 



main (20-monkeys-b.com), proving that the domains are 
operated by the same cybercriminal/gang of cybercriminals. 

Sample exploitation chain for a currently active 
malicious domain responding to 192.154.103.66: 

hxxp://poople- 
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huelytics.com/exp/agencept.php?vialjack=694842 -> 
hxxp://poople-huelytics. co m/exp/a d daja pa/jury lamp, jar -> 
hxxp://poople-huelytics. com/exp/addajapa/ptlyable.jar -> 
hxxp://poople-huelytics. com/exp/jectrger. php 

Sample client-side exploits served: [5] CVE-2013-0431 ; 
[6] CVE-2012-1723 ; [7] CVE-2010-0188 

Sample detection rates for the reproduced malicious 
payload: 

test.pdf - [8]MD5: 

013ed8ef6d92cfe337d9d82767f778da - detected by 10 
out of 46 antivirus scanners as 

PDF:Exploit.PDF-JS.VU 

jurylamp.jar - [9]MD5: 

dcba86395938737b058299b8e22b6d65 - detected by 7 
out of 46 antivirus scanners as 

Exploit:Java/CVE-2013-0431 

ptlyable.jar - [10]MD5: 

2446aa6594fc7935cal3bl30d4f67442 - detected by 6 
out of 46 antivirus scanners as 

HEUR:Exploit.Java.CVE-2012-1723.gen 



test.pdf drops MD5: 

51311FDECCD8B6BC5059BE33E0046A27 and MD5: 
72B670F4582BC73C0D05FF506B51B8EB it 

then attempts to obtain the malicious payload from 20 - 

monkeys-b.com/exp/senccute.php? (144.135.8.182) 

Responding to 192.154.103.66 are also the following 
malicious domains: 

snova-vdel-e.com 

mimemimikat. info 

Malicious domain names reconnaissance: 

20-monkeys-b.com - Email: haneslyndsey@yahoo.com 

poople-huelytics.com - Email: brianmyhalyk@yahoo.com 

snova-vdel-e.com - Email: guerin _k@yahoo.com 

mimemimikat.info - Email: xbroshost@live.com 

More domains share the same exploitation directory 
structure (agencept.php?vialjack=) such as for 
instance: 

hxxp://upd.pes2020. com. ar/up/agencept.php ?vialjack 
%3D219215 

hxxp://upd. typescript, com. ar/up/agencept. php ? 
via Ija ck=219215 

hxxp://4ad32203. dyndns. info/agencept.php ? 
vialjack=428181 



hxxp://4ad34364. dyndns. info/agencept.php? 
vialjack=428181 

hxxp://4ad28306. dyndns. info/agencept.php? 
vialjack=428181 

hxxp://4ad23745. dyndns. info/agencept.php? 
vialjack=428181 

hxxp://4ad96968. dyndns. info/agencept.php?viaijack 
%3D428181 

hxxp://4ad21321. dyndns. info/agencept.php ? 
viaijack=428181 

The same email (xbroshost@live.com) is also known 
to have registered the following phishing domains in 

the past: 

hxxp://www. reaitorviewproperties, info/realtorj'j/index. htm 

hxxp://www. usaindependentmerchids. com 

hxxp://www. usamerchandiseinc. com/ 

hxxp://www. blogconsciente. com/ secadmin/eLogin.php 

Although the cybercriminal/gang of cybercriminals behind 
this campaign applied basic OPSEC practices to it, 

the fact that the C &C/malicious payload acquisition strategy 
is largely centralized, (thankfully) indicates a critical 

flaw in their mode of thinking. 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12Jon Twitter. 
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Dissecting NBC's Late Night with Jimmy Fallon Web 
Site Compromise (2013-03-07 00:52) 

[1] Oops, they did it again! 

The official Web site ( 

hxxp://www.latenightwithjimmyfallon.com ) of 

[2] NBC's Late Night With Jimmy Fallon 










is currently [3]compromised/hacked and is automatically 
serving multiple Java exploits to its visitors through a tiny 
iFrame element embedded on the front page. According to 

[4]Google f s Safe Browsing Diagnostic page, the same 

malicious iFrame domain that affected the Web site, is also 
known to have affected 15 more domains. 

Let's dissect the campaign, expose the complete domains 
domains portfolio used in the campaign, reproduce 

the malicious payload, and establish a direct connection 
between this campaign, and a series of phishing campaigns 

that appear to have been launched by the same 
cybercriminal/gang of cybercriminals. 

Sample 

client-side 

exploitation 

chain: 

hxxp://20-monkeys-b. com/exp/agencept. php ? 
vialjack=339214 


144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys- 
b. com/exp/tionjett.php 

Although the currently embedded iFrame domain is offline, 
we know that on 2013-03-06 17:02:35 it used to 


respond to 192.154.103.66. We've got several malicious 
domains currently parked at the same IP and respon- 



ing, allowing us to obtain the malicious payload used in the 
campaign affecting NBC's Web site. Upon further 

examination, the obtained malicious PDF used in the 
campaign, also attempts to connect to the initial iFrame do¬ 
main (20-monkeys-b.com), proving that the domains are 
operated by the same cybercriminal/gang of cybercriminals. 

Sample exploitation chain for a currently active 
malicious domain responding to 192.154.103.66: 

hxxp://poople- 
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huelytics.com/exp/agencept.php?vialjack=694842 -> 
hxxp://poople-huelytics. co m/exp/a ddaja pa/jury lamp.jar -> 
hxxp://poople-huelytics. com/exp/addajapa/ptlyable.jar -> 
hxxp://poople-huelytics. com/exp/jectrger. php 

Sample client-side exploits served: [5] CVE-2013-0431 ; 
[6] CVE-2012-1723 ; [7] CVE-2010-0188 

Sample detection rates for the reproduced malicious 
payload: 

test.pdf - [8]MD5: 

013ed8ef6d92cfe337d9d82767f778da - detected by 10 
out of 46 antivirus scanners as 

PDF:Exploit.PDF-JS.VU 

jurylamp.jar - [9]MD5: 

dcba86395938737b058299b8e22b6d65 - detected by 7 
out of 46 antivirus scanners as 


Exploit:Java/CVE-2013-0431 



ptlyable.jar - [10]MD5: 

2446aa6594fc7935cal3bl30d4f67442 - detected by 6 
out of 46 antivirus scanners as 

HEUR:Exploit.Java.CVE-2012-1723.gen 

test.pdf drops MD5: 

51311FDECCD8B6BC5059BE33E0046A27 and MD5: 
72B670F4582BC73C0D05FF506B51B8EB it 

then attempts to obtain the malicious payload from 20 - 

monkeys-b.com/exp/senccute.php? (144.135.8.182) 

Responding to 192.154.103.66 are also the following 
malicious domains: 

snova-vdel-e.com 

mimemimikat. info 

Malicious domain names reconnaissance: 

20-monkeys-b.com - Email: haneslyndsey@yahoo.com 

poople-huelytics.com - Email: brianmyhalyk@yahoo.com 

snova-vdel-e.com - Email: guerin _k@yahoo.com 

mimemimikat.info - Email: xbroshost@live.com 

More domains share the same exploitation directory 
structure (agencept.php?vialjack=) such as for 
instance: 

hxxp://upd.pes2020. com. ar/up/agencept.php ?vialjack 
%3D219215 



hxxp://upd. typescript, com. ar/up/agencept. php ? 
via Ija ck=219215 

hxxp://4ad32203. dyndns. info/agencept.php ? 
viaijack=428181 

hxxp://4ad34364. dyndns. info/agencept.php? 
vialjack=428181 

hxxp://4ad28306. dyndns. info/agencept.php? 
viaijack=428181 

hxxp://4ad23745. dyndns. info/agencept.php? 
viaijack=428181 

hxxp://4ad96968. dyndns. info/agencept.php?vialjack 
%3D428181 

hxxp://4ad21321. dyndns. info/agencept.php ? 
viaijack=428181 

The same email (xbroshost@live.com) is also known 
to have registered the following phishing domains in 

the past: 

hxxp://www. realtorviewproperties, info/reaitorj'j/index. htm 

hxxp://www. usaindependentmerchids. com 

hxxp://www. usamerchandiseinc. com/ 

hxxp://www. blogconsciente. com/ secadmin/eLogin.php 

Although the cybercriminal/gang of cybercriminals behind 
this campaign applied basic OPSEC practices to it, 



the fact that the C &C/malicious payload acquisition strategy 
is largely centralized, (thankfully) indicates a critical 

flaw in their mode of thinking. 

1. http://ddanchev.blo as Dot.com/2013/Q2/dissectin a -nbcs- 
exploits-and-malware.html 

2. http://en.wikipedia.or g /wiki/Late Ni g ht with limmv Fallon 

3. http://www. a oo a le.com/interstitial? 

url = http://www.lateni a htwith i immvfallon.com/ 
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4. http://www. a oo a le.com/safebrowsi n a /dia a nostic?site=20- 
monkevs-b.com/&hl=en 

5. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2013-0431 

6. http://cve.mitre.or a/ca i-bi n/cvename.c a i?name=CVE- 
2012-1723 

7. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2010-0188 

8 . 
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is/1362605408/ 
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I)IY Java-based RAT (Remote Access Tool) spotted in 
the wild 

***** o 3 votes 

By Dcnclra O.och.v 

Vbtikr the aUhorvsuppoit learns of some of the market leading Web malware exploitation kits are competing on the* way 
to be the first lot to introduce a new exploit on a mass scale, others, torgety influenced by the re-emergence of the OIY (do-it- 
yourself) trend across the cybercnme ecosystem, continue relying on good old fatfioncd social engineering attacks 

In this post. I I profile a beneattvthe-radar type of DfY Java based botnet butting toot, which is served through the usual 
unsigned yet malicious Java applet 

More details Continue madia* - 
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Summarizing Webroot's Threat Blog Posts for March 
( 2013 - 04-01 21 : 37 ) 

The following is a brief summary of all of my posts at 
Webroot's Threat Blog for March, 2013. You can subscribe to 

[l]Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 










01 . [2]New DIY IRC-based DDoS bot spotted in the wild 

02 . [3]Cybercriminals release new Java exploits centered 
exploit kit 

03 . [4]Segmented Russian "spam leads" offered for sale 

04 . [5]New DIY hacked email account content grabbing tool 
facilitates cyber espionage on a mass scale 

05 . [6]New DIY unsigned malicious Java applet generating 
tool spotted in the wild 

06 . [7]Commercial Steam 'information harvester/mass group 
inviter' could lead to targeted fraudulent campaigns 

07 . [8]Fake BofA CashPro 'Online Digital Certificate" themed 
emails lead to malware 

08 . [9]Spamvertised BBB 'Your Accreditation Terminated" 
themed emails lead to Black Hole Exploit Kit 

09 . [lOJNew ZeuS source code based rootkit available for 
purchase on the underground market 

10 . [llJCybercriminals resume spamvertising 'Re: Fwd: Wire 
Transfer' themed emails, serve client-side exploits and 

malware 

11 . [12]Cybercrime-friendly community branded HTTP/SMTP 
based keylogger spotted in the wild 

12 . [13]Hacked PCs as 'anonymization stepping-stones' 
service operates in the open since 2004 

13 . [14]Fake 'CNN Breaking News Alerts' themed emails lead 
to Black Hole Exploit Kit 



14 . [15]Spotted: cybercriminals working on new Western 
Union based 'money mule management' script 

15 . [16]Malicious 'BBC Daily Email' Cyprus bailout themed 
emails lead to Black Hole Exploit Kit 

16 . [17]'ADP Payroll Invoice' themed emails lead to malware 

17 . [18]'Terminated Wire Transfer Notification/ACH File ID" 
themed malicious campaigns lead to Black Hole Exploit 

Kit 

18 . [19]New DIY RDP-based botnet generating tool leaks in 
the wild 

19 . [20]A peek inside the EgyPack Web malware exploitation 
kit 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22Jon Twitter. 
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1. http://feeds2.feedburner.com/WebrootThreatBlo a 

2. http://blo a .webroot.com/2013/03/04/new-div-irc-based- 
ddos-bot-spotted-in-the-wild/ 

3. http://blo a .webroot.com/2013/03/05/cvbercriminals- 
release-new- i ava-ex ploits-centered-ex ploit-kit/ 

4. http://blo a .webroot.com/2013/03/06/se a mented-russian- 
s oam-leads-offered-for-sale/ 

5. http://blo a .webroot.com/2013/03/Q7/new-div-hacked- 
email-account-content- a rabbin a -tool-facilitates-cvber-e 
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6. http://blo a .webroot.com/2013/03/08/new-div-unsi a ned- 
malicious- i ava-a p plet- a eneratin a -tool-spotted-in-the- 

wild/ 

7. http://blo a .webroot.com/2013/Q3/ll/commercial-steam- 
information-harvestermass- a roup-inviter-could-lead-to 

-tar a eted-fraudulent-camoai ans/ 

8. http://blo a .webroot.com/2013/Q3/12/fake-bofa-cashpro- 
online-di a ital-certificate-themed-emails-lead-to-mal 

ware/ 

9. http://blo a .webroot.com/2013/Q3/13/spamvertised-bbb- 
vour-accreditation-terminated-themed-emails-lead-to-b 

lack-hole-exploit-kit/ 

10 . 

http://blo a .webroot.com/2013/Q3/14/new-zeus-source-code- 

based-rootkit-available-for-purchase-on-the-und 

era round-market/ 

11. http://blo a .webroot.com/2013/03/15/cvbercrinninals- 
resume-spamvertisin a -re-fwd-wire-transfer-themed-emai ls 

-serve-client-side-exoloits-and-malware/ 

12. http://blo a .webroot.com/2013/Q3/19/cvbercrime-friendl v- 
communitv-branded-httpsmtp-based-ke vloaa er-spotted 


-in-the-wild/ 


























































13. http://blo a .webroot.com/2013/03/2Q/hacked-pcs-as- 
anonvmization-ste p pin a -stones-service-operates-in-the-o p 

en-since-2004/ 

14. 

http://blo a .webroot.com/2013/Q3/21/fake-cnn-breakin a- 

news-alerts-themed-emaills-lead-to-black-hole-explo 

it-kit/ 

15. http://blo a .webroot.com/2013/Q3/22/spotted- 
c vbercriminals-workin a -on-new-western-union-based-mone v- 
mule-m 


ana a ement-scri pt/ 

16. 

http://blo a .webroot.com/2013/03/25/nnalicious-bbc-dail v- 

email-c v prus-bailout-themed-emails-lead-to-black 

-hole-exploit-kit/ 

17. http://blo a .webroot.com/2013/Q3/26/ad p-pa vroll-invoice- 
themed-emails-lead-to-malware/ 

18. http://blo a .webroot.com/2013/Q3/27/terminated-wire- 
transfer-notificationach-fil e-id-themed-malicious-cam p 

aia ns-lead-to-black-hole-exploit-kit/ 

19. http://blo a .webroot.com/2013/03/28/new-div-rdp-based- 
botnet- a eneratin a -tool-leaks-in-the-wild/ 

20. http://blo a .webroot.com/2013/Q3/29/a-peek-inside-the- 
eav pack-web-malware-exploitation-kit/ 

















































21. http://ddanchev.blo as pot.com/ 

22. http://twitter.com/danchodanchev 
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This is mr. Mihail Hodorkovski, ex-CEO of the Yukos company. 
In earlier times, when dump bussines was not so dangerous 
he earned his first money and established Yukos company. H 
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Historical OSINT - The "BadB International" 
Cybercrime Enterprise (2013-04-10 21:53) 

[l]BadB is the nickname of Vladislav Anatolievich 
Horohorin, a high profile carder, who eventually [2]got 
busted 

















in France in 2010. This month, he was [3]sentenced to 
serve 88 months in prison, ordered to pay $125,739 in 

restitution, and sentenced to two years of supervised release. 

In the wake of these events, I decided to release some raw 
OSINT data regarding BadB's official Web site, 

hxxp://badb. biz. 
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Mechanics ol the reader 

U you wart to read magnetic street success**? you shxrfd use a medunca device to »we* cares 
stabty and retabty You can etw swipe the card over me head or Pie head over Vie card I chose the 

second method 

la r*t case you should attach hr magneac head (with the »e* » s4ws udedowmwardej to a pace of chaste 
wood or sometoeig wrfh a regular shape and a smooth surface Then fa two strips <one at each side of the 
head) on a board as a rad as wNch Vie magneto head can oNy move forward and backward (smoototy) 
Be aware to leave enough space between the board and the sarps m order to rtroduce me card wtach it 
gong to be read Once you fa the card on the board wdh its magneto strpt runrmg paraBet to the stops 
you can t*npe the head along toe card ease? Now you only have to move m smat steps the po — o n of 
toe card unM you ind toe back to be read You know mat the track a caught when toe ugnaJ trom toe 
ampMter is a perfect square wave with maxvnurw ampMude and rrwumum noise As long as toe majority of 
a* cards Mows toe ISO standards l suggest you to make seme marks on toe reader to s^n toe poetto n 
of toe backs So you donl have to repeat toe whole process each tame you want to read a card 
It may be not toe most srrpte or ehoe nt reader meeh ar w e t but it stows you to read wluaty any back of 
any card or document i e t ts not restricted to standard see cards or standard postton backs See 
photos below to get an repression of toe reader (eftek on mages to enlarge) I apologue tor the bad 
qustty I weanl able to get a better Ogttt camera it used a cheap webcam) 



Latety t ve been usng a very smpie method to swipe cards which does not requee a special board with 
stops faed on a <radsj Smpfy put toe card on your computer table and use the keyboard as rad tor the 
magnet* head i e €t Mte toe metood above but usng a normal table and just one rad. one *de of your 
computer keyboard Put two cards one at each side of the card to be read <ai three cards should have the 
same thickness) to hetp the magnetic head to move sm ootdy (you stt need to attach the head to 
some b u ng turfed tor swnpngi Be sure toe magneto stripe of toe emttary cards do not nteriere wdh toe 
magneto stop* to be read ie toe magneto head n not goeig to swipe them as we* The er*y problem it 
to keep the magnetic stnpc akgned wdh the keyboard And your our metood to fa this 

Using tto software 

The magneto stop reader shotdd be c o nnected to toe joytbek pod (output of the reader to pm 2 and 
ground to pin 4) or to theporattel pod (output of toe reader to pm IS and ground tepm IS) of a PC 4 you 
are gomg to uee the software provided n torse pages t found a better performance wsmg toe para** 
pod and so toat t% the defeat pod You can use any PC. toere ts no need for a fast powerful PC Cornpte 
toe source code opbmcng tor speed tf you don't use Turbo C++ vi.bi you may need to change a MSe 

M toe code mwnty headers and functon names | 

Related URLs: hxxp://badb.biz\ bxxp://badb.org; 
hxxp .-//dumps, name 

Emails: 


badb4cc@yahoo.com; 


metaksa _s@yahoo.com 









support@agava.com; 

admin@agava.com; 

ad- 

mi n@carderplanet. biz 
ICQ: 49162552 

Phone number: +19522325532 (Working according to 
BadB in 2009) 

IP hosting history for badb.biz from 2005 to 2010 in 
the format (initial hosting IP -> IP change detected to 
a 

new IP): 

217.107.212.115 -> 64.202.167.129 
64.202.167.129 -> 217.107.212.115 
217.107.212.115 -> 217.107.212.9 
217.107.212.9 -> 89.108.66.104 
89.108.66.104 -> 68.178.232.99 
68.178.232.99 -> 89.108.66.104 
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Some results 

TIms b etc aspect of a swap* n*w data) over the tme lor high and low Pens*? hades (ddc on enages to enlarge) 



This b a closer look to he begrmng of Vte data iteadng doctang bits) 




216.8.177.23 -> 78.109.18.150 
78.109.18.150 -> 196.32.222.9 
89.108.73.117 - >94.75.221.75 
94.75.221.75 -> 92.241.164.92 

Sample Abous Us section description from badb.biz 




























































1/1/e are independent e-commerce security investigation 
group. We are help e-commerce organisations such as Visa, 

Mastercard, regional processings and other e-commerce 
structures to understand how vulnerable they are. We are 

not connected to any crimminai structures, not performing 
any outlaw actions by ourselves, not selling drugs, not 

sendinding any spam, not connected to any child porno, not 
supporting terrorists its elves nor terrorist organisations. 

If you received any spam from us - this is a fake of our 
enemies we are never use spam to promote our site. AH 

information you can read here provided "As Is" and only for 
educational purposes. All articles are copyrighted, if you 299 

wish to take any part of information from here - please reffer 
to origination site. All we do - is we have for sale some 
dumps, cvvs and cobs - just for experemental purposes of 
our custommers;-) We listen and effectively respond to your 

needs and those of your clients. We are experts at 
translating those needs into marketing solutions that work, 
look 

great and communicate well. Each day brings increased 
opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or without 
BadB, [4]the market for stolen credit cards 

data, continued growing throughout the entire 2011. 

Then in 2012, we witnessed two law enforcement operations, 

courtesy of [5]SOCA, and the [6]FBI. However, despite these 
efforts, the market for stolen credit cards data remains as 



vibrant as always. 

Thanks to the [7]standardization taking place in 
respect to the money mule recruitment process, as 

well as 

the nearly identical online shops for stolen credit cards data, 
those who cannot "cash out" the balances of the credit cards, 
will choose to [8]risk-forward the selling process to the 
buyers of the stolen data. The rest, will basically 

continue looking for more efficient, automatic, and 
anonymous ways to get access to the stolen money, 
continuing 

to rely on money mules of virtual currencies. 

This post has been reproduced from [9] Dane ho 
Danchev's blog. Follow him [10]on Twitter. 

1. http://www.voutube.com/watch?v=9v4ii i OXGe a 

2. http://www.wired.com/threatlevel/201Q/Q8/badb/ 

3. http://www. i ustice. a ov/opa/pr/2013/April/13-crm-386.html 

4. http://ddanchev.blo as pot.com/2Qll/10/exposin a -market- 
for-stolen-credit-cards.html 

5. http://www.soca. a ov.uk/news/446-web-domains-seized-in- 
international-operation-to-tar a et-on line-fraudsters 

6. http://www.zdnet.com/blo a /securitv/24-cvbercriminals- 
arrested-in-operation-card-shop/12435 

7. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 
































8. http://blo a .webroot.com/2013/Q3/22/spotted- 
c vbercriminals-workin a -on-new-western-union-based-mone v- 
mule-m 

ana a ement-scri pt/ 

9. http://ddanchev.blo as pot.com/ 

10. http://twitter.com/danchodanchev 
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This is mr. Mihail Hodorkovski, ex-CEO of the Yukos company. 
In earlier times, when dump bussines was not so dangerous 


he earned his first money and established Yukos company. 
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Historical OSINT - The "BadB International" 
Cybercrime Enterprise (2013-04-10 21:53) 

[l]BadB is the nickname of Vladislav Anatolievich 
Horohorin, a high profile carder, who eventually [2]got 
busted 

in France in 2010. This month, he was [3]sentenced to 
serve 88 months in prison, ordered to pay $125,739 in 

restitution, and sentenced to two years of supervised release. 

In the wake of these events, I decided to release some raw 
OSINT data regarding BadB's official Web site, 

hxxp://badb. biz. 
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Mechanics ol the reader 

U you wart to read magnetic street success**? you shxrfd use a medunca device to »we* cares 
stabty and retabty You can etw swipe the card over me head or Pie head over Vie card I chose the 

second method 

la r*t case you should attach hr magneac head (with the »e* » s4ws udedowmwardej to a pace of chaste 
wood or sometoeig wrfh a regular shape and a smooth surface Then fa two strips <one at each side of the 
head) on a board as a rad as wNch Vie magneto head can oNy move forward and backward (smoototy) 
Be aware to leave enough space between the board and the sarps m order to rtroduce me card wtach it 
gong to be read Once you fa the card on the board wdh its magneto strpt runrmg paraBet to the stops 
you can t*npe the head along toe card ease? Now you only have to move m smat steps the po — o n of 
toe card unM you ind toe back to be read You know mat the track a caught when toe ugnaJ trom toe 
ampMter is a perfect square wave with maxvnurw ampMude and rrwumum noise As long as toe majority of 
a* cards Mows toe ISO standards l suggest you to make seme marks on toe reader to s^n toe poetto n 
of toe backs So you donl have to repeat toe whole process each tame you want to read a card 
It may be not toe most srrpte or ehoe nt reader meeh ar w e t but it stows you to read wluaty any back of 
any card or document i e t ts not restricted to standard see cards or standard postton backs See 
photos below to get an repression of toe reader (eftek on mages to enlarge) I apologue tor the bad 
qustty I weanl able to get a better Ogttt camera it used a cheap webcam) 



Latety t ve been usng a very smpie method to swipe cards which does not requee a special board with 
stops faed on a <radsj Smpfy put toe card on your computer table and use the keyboard as rad tor the 
magnet* head i e €t Mte toe metood above but usng a normal table and just one rad. one *de of your 
computer keyboard Put two cards one at each side of the card to be read <ai three cards should have the 
same thickness) to hetp the magnetic head to move sm ootdy (you stt need to attach the head to 
some b u ng turfed tor swnpngi Be sure toe magneto stripe of toe emttary cards do not nteriere wdh toe 
magneto stop* to be read ie toe magneto head n not goeig to swipe them as we* The er*y problem it 
to keep the magnetic stnpc akgned wdh the keyboard And your our metood to fa this 

Using tto software 

The magneto stop reader shotdd be c o nnected to toe joytbek pod (output of the reader to pm 2 and 
ground to pin 4) or to theporattel pod (output of toe reader to pm IS and ground tepm IS) of a PC 4 you 
are gomg to uee the software provided n torse pages t found a better performance wsmg toe para** 
pod and so toat t% the defeat pod You can use any PC. toere ts no need for a fast powerful PC Cornpte 
toe source code opbmcng tor speed tf you don't use Turbo C++ vi.bi you may need to change a MSe 

M toe code mwnty headers and functon names | 

Related URLs: hxxp://badb.biz\ bxxp://badb.org; 
hxxp .-//dumps, name 

Emails: 


badb4cc@yahoo.com; 


metaksa _s@yahoo.com 









support@agava.com; 

admin@agava.com; 

ad- 

mi n@carderplanet. biz 
ICQ: 49162552 

Phone number: +19522325532 (Working according to 
BadB in 2009) 

IP hosting history for badb.biz from 2005 to 2010 in 
the format (initial hosting IP -> IP change detected to 
a 

new IP): 

217.107.212.115 -> 64.202.167.129 
64.202.167.129 -> 217.107.212.115 
217.107.212.115 -> 217.107.212.9 
217.107.212.9 -> 89.108.66.104 
89.108.66.104 -> 68.178.232.99 
68.178.232.99 -> 89.108.66.104 
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Some results 

TIms b etc aspect of a swap* n*w data) over the tme lor high and low Pens*? hades (ddc on enages to enlarge) 



This b a closer look to he begrmng of Vte data iteadng doctang bits) 




216.8.177.23 -> 78.109.18.150 
78.109.18.150 -> 196.32.222.9 
89.108.73.117 - >94.75.221.75 
94.75.221.75 -> 92.241.164.92 

Sample Abous Us section description from badb.biz 




























































1/1/e are independent e-commerce security investigation 
group. We are help e-commerce organisations such as Visa, 

Mastercard, regional processings and other e-commerce 
structures to understand how vulnerable they are. We are 

not connected to any crimminal structures, not performing 
any outlaw actions by ourselves, not selling drugs, not 

sendinding any spam, not connected to any child porno, not 
supporting terrorists its elves nor terrorist organisations. 

If you received any spam from us - this is a fake of our 
enemies we are never use spam to promote our site. AH 

information you can read here provided "As Is" and only for 
educational purposes. All articles are copyrighted, if you 303 

wish to take any part of information from here - please reffer 
to origination site. All we do - is we have for sale some 
dumps, cvvs and cobs - just for experemental purposes of 
our custommers;-) We listen and effectively respond to your 

needs and those of your clients. We are experts at 
translating those needs into marketing solutions that work, 
look 

great and communicate well. Each day brings increased 
opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or without 
BadB, [4]the market for stolen credit cards 

data, continued growing throughout the entire 2011. 

Then in 2012, we witnessed two law enforcement operations, 

courtesy of [5]SOCA, and the [6]FBI. However, despite these 
efforts, the market for stolen credit cards data remains as 



vibrant as always. 

Thanks to the [7]standardization taking place in 
respect to the money mule recruitment process, as 

well as 

the nearly identical online shops for stolen credit cards data, 
those who cannot "cash out" the balances of the credit cards, 
will choose to [8]risk-forward the selling process to the 
buyers of the stolen data. The rest, will basically 

continue looking for more efficient, automatic, and 
anonymous ways to get access to the stolen money, 
continuing 

to rely on money mules of virtual currencies. 

1. http://www.voutube.com/watch?v=9v4ii i OXGe a 

2. http://www.wired.com/threatlevel/201Q/08/badb/ 

3. http://www. i ustice. a ov/opa/pr/2013/April/13-crm-386.html 

4. http://ddanchev.blo as pot.com/2Qll/10/exposin a -market- 
for-stolen-credit-cards.html 

5. http://www.soca. a ov.uk/news/446-web-domains-seized-in- 
international-operation-to-tar a et-on line-fraudsters 

6. http://www.zdnet.com/blo a /securitv/24-cvbercriminals- 
arrested-in-operation-card-shop/12435 

7. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

8. http://blo a .webroot.com/2013/Q3/22/spotted- 
c vbercriminals-workm a -on-new-western-union-based-mone v- 
mule-m 
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A fairy tale? For many, yes, but for us - no! For us it is a 
reality that lasts for more than 3 years! 

Who are we? Family! A strong united family, in which 
you did not throw, and in which you will help achieve 
your goals. 

What we do? We are engaged in doorways. Forget 
about boring 100 sheet manuals that are written by 
people far removed from the search engine 
optimization! We practice and therefore our Information 
is always current. Our system of wages worked equally 
well in 2010 and now. 

Thanks to our hundreds of people have achieved their 
financial independence. By the way, not to be 
unfounded, look at a couple of reviews of our students 
(picture size): 


What's the ROI on Going to a Virtual Blackhat SEO 
School? (2013-04-17 23:45) 

For years, fraudulent or [l]purely malicious actors have 
been abusing the online advertising market, by [2]directly 
hijacking and redirecting [3]the revenue flow, or by 
[4]successfully and efficiently hijacking as much 
percentage of legitimate search traffic as possible, and 
monetizing it through the use of [5]blackhat SEO (search 
engine 





optimization) tactics/shady affiliate networks. 

[6]Monetizing the very monetization process? 

Standardizing the revenue generation, and knowledge 
spreading 

streams, achieving efficiencies in the process, and directly 
contributing to a new, this time better trained/educated 

generation of Blackhat SEO-ers? Someone he's knowingly or 
unknowingly on a mission. A mission with a brand. 

In this post, I'll profile a highly successful [7]blackhat SEO 
'school" that promises the Moon, but asks for nothing except 
$1,000 for the training course, which will turn you into a 
sophisticated blackhat SEO expert, netting you 

huge amounts of money. 

Operating in the open since 2010, the service is currently 
(2013) asking for $350, presumably to keep the new 

customers flow going. Since it's initial launch data, the 
business model has been relying on a loyal set of people who 

already "took" the course, and continue making money up to 
present day. A loyalty and happy customer "feedback" 

best demonstrated by featuring exclusive screenshots 
courtesy of the happy customers. 

Initial forum advertisement: 
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Welcome to the forum millionaires! So, I decided, now I will 
welcome the new students. 



And you know why? 


My course, and our forum for more than two years, and 
during that time has accumulated a huge pile of re¬ 
views with the statistics. Wondered how many of my 
students have earned over 2 years on my course? 

And it turned out that except cars, apartments, purely 
according to PP, pupils together earned 17 million rubles! 

And 

it is only those who have shown their statistics. And I think in 
2 years they could make a few more millions. (Figure 

is slightly inaccurate to 9 tines in a notebook I got tired and 
started to round + decided not to take into account the 

3,000,000 earnings per pupil) 

In two years, we have made dozens of millionaires in Russia, 
Ukraine and Belarus Their lives changed immedi¬ 
ately, as soon as they hit the family. People sitting in debt in 
a few months to buy a new car. 

People are sitting at their desks yesterday brought home two 
monthly salaries parents, and explained that it is 

unashamedly from the Internet, it is their earnings! 

People who are already my course have been very successful 
become even more successful. The forum is sta¬ 
ble enough people who earn a day 50-60 thousand rubies. 
This is not theoretical, not uncle in suits, this is the same 


young guys like you or me. 



Although I must admit, the forum is and uncle in suits for 30- 
40 years, primarily to get through doorways capi¬ 
tal to support their business. 

And all these people realize that they are family, friends, and 
they willingly associate, dividing their experi¬ 
ences, secrets! Access to the course - it is a unique 
opportunity to touch the thought of successful people, to 
breathe 

the same air with them, get their energy and join the ranks 
of millionaires. 

As early as the year, the forum has two tech support, and 
username, people are few easy counseled hundreds 

of students and even if they did not do dory - would know 
what the perfect doorway. 

BUT! They do work, make Dora always advise how to make 
your doorway even better answer the most stupid 

question, and will lead to the most stable earnings. 

Now, if you are reading these lines and think that $ 1000 for 
access and the opportunity to become a million¬ 
aire in 24\7 support from a support, for the opportunity to be 
in the new family is expensive, I never selling you access. 

We need people who value themselves, their money and 
time. If $ 1,000 seems to you a great price, then you 

will never become a millionaire from the internet and you 
simply do not want my family. 



Imagine you paid $ 1,000 in the bank say, come back every 
day to ask questions and get a month - $ 100,000, 

it is tempting? Here's a bank - this is our forum. And 80 
pages o f reviews stands surety for this bank. 

You may think, but what for me is all good topic no one will 
sell! 

And I grieve you, it's not the topic, not the scheme, not the 
holy grail, it's work. Work by a support forum and 

make it so simple that you will forget the times when you 
have not worked with doorways. 

A successful guys will charge you so much energy that the 
work will be for you the best thing in life. You're going to 

sleep at 4:00, waking up in the middle of the night with 
burning eyes, watch as your dorveychiki live there, and how 
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many thousands have already dripped while you were 
sleeping. 

Through it all the disciples, and / think they would give, and 
10 and 100 thousand dollars to get through it again. 

But there is a dump in a Public Forum, everything is - you 
say. 

And I'll tell you the story of how one day I lost the backup of 
offline and restored the forum 15 minutes ago 

from what it was last time. And it was a huge mistake! Lost 
about 50 messages, 12 topics and 5-6 blog posts! The 



disciples were indignant. On our forum mad update rate, and 
dump the last year and the relevance of information 

out there already in negative degrees and I am afraid that 
only harms doorways. 

But I can learn myself! Yes you can, spend a few years on 
independent learning. 

And you can put a time out and spend $ 1000 on an active 
training week and immediately makes the door¬ 
ways correctly. Once again, we are waiting for our club 
anonymous millionaires of people who know the value of 

money and his own time, who want to invest in yourself, 
earn, and not break your head against the wall, when there 

are people who will show how to get around. 

Course can be purchased on the preliminary interview in ICQ 
price - $ 1000. 

And remember, we are, we need special people, very few of 
them, they are people who are willing to invest in 

yourself and do not try to save yourself cheaply though. So I 
throw in ICQ to ignore anyone who asks me for a discount 

or credit. I understand that in spite of the 80-page review, 
you may be unsure if it will work with you. Therefore, we 

give a new guarantee manibeka. If two weeks you feel - that 
doorway - it's not yours, we will refund the money and 

pay the top 5 million rubies, for what you have spent your 
time! 



Frequently Asked Questions (FAQ) 

Good day , and now its time to answer all the questions a 
novice who wants to buy a course to dot the i, made to 

understand that he buys, he will get what may 
dobitsya.Nus's begin. 

l.Chem we do? 

Black seo.Dorvei.Dory are very flexible and tenacious tool for 
earnings, its flexibility due to the variety of topics 

and types of monetization, and vitality - the existence of PS, 
and how long will exist as long as the search engines 

will be using dory We produce traffic, ie the users, ie the 
people, the traffic is the blood in the veins of the internet, 
and this is the main advantage that dorveyschik unlike white 
SEOs can in a short time to break a lot more traffa a 

completely different subjects and to merge it back where it 
needs . in a simple version of ail is: 

1. Registriruemsya an affiliate program, it gives you the 
choice of partner sites of some topics (topics vary from porn 

and finishing ail kinds of divination), statistics (to track kollvo 
coming to your site, paid for kollvo, Coiva who have come 
again). 

2. Delaem doorway, we find: 

- Thematic traffistye quality keys (which are appropriate to 
the site subject we took from PP) 


- Template 



- Text 


All this is described in detail in the course and on the forum. 

3. Zaiivaem doorway to shell 

4. Zhdem 4.3 apa (an - update Yandex search results, also 
known as SERP, quite by chance, usually up to one week, 

sometimes more) 

5. Poluchaem traff and accordingly money. 

Well this is just a simple and obvious option, work with SMS 
affiliate, to start - the fact that many small minded people to 
talk about the thousandth time of death doorways as 
income, just because of the changes in the SMS payment, 
it's 
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wrong, it's stupid, it's self-deception to deceive drugih.l as, 
say, we have learned to produce traffic, our traffic started to 
give Dora and now we have to redirect it somewhere ie 
merge and convert / convert into money, a lot of options: 

1. Partnerki with sms payment, the most obvious and as I 
wrote the best option to start. 

2. Partnerki pay-per-download and install the file, such PP a 
lot, and they are all different, from the fact that you are 
paying for the jump and the malicious Trojan or whether 
something like that, to quite formal type of games WORLD 

of-tanks, Yandex bars etc. and tp.lmeya large amounts of 
traffic (which is the second task dorveyschika, increase the 



volume of traffic) in the first and in the second option holders 
PP will take you with open arms and make bonuses. 

3.5voi online shopping and platniki. V this topic a little 
feedback from these guys, as many prefer to work with SMS 

and other PP, but byvali.Odin met some of the students at 
comrade serche, he did an Internet jewelry store and the 

problem was my student in the production of traffic, he 
quickly picked up, done and grabbed a piece of the profit. 

AH that I wrote just for you to understand, I teach mine 
traffic, targeted traffic from search engines, I would suggest 
the best methods of monetization, by which usually fight off 
the course, but never forget that you have a great 

opportunity to go and grab a piece of the traffa on desired 
topics with Yandex and merge where necessary. 

2.Navernoe topic died\ bought her so much, so long 
existed, much is competition? 

I am for all the time of sale of the course has experienced 
the death of a thousand and one as the reward 

scheme, but that's amazing, for some reason all those who 
want to - successfully earn dorah.Chto for competition - 

in do rah very high turnover, namely Dora always fly into the 
index ( Yandex search) and flew over, it's all backed by 

the characteristic features of the behavior dorveyschika and 
dorveyschik often tasting dough, he realized how easily 

make dory, does pack and walk yourself getting denyuzhki, 
leaving room for other results. 



3. Zachem you sell? 

That's what I do - called infobiznesom admit, when all this 
started, I such a word and znal.Est two concepts, 

with which you can ever accurately explain the infobiznesa, 
information and insider information autsayder.Kogda- 

long ago, when I was dramas and gathering information 
about them bit by bit on various forums -1 was an outsider, 

I was not available methods that can quickly lead to success, 
and everything had to be found by experiment, my first 

income from went after 3 months and a naked enthusiasm 
nadezhdy.Pokupaya course you get insider information, 

which is called the bat, straight to the kitchen where 
everything is cooked, I do not sell super flow sheet, I only 
give an opportunity and take it for a fee, sell their time and, 
in recent years, more and more nerves, which is why, in 
order to maintain this non-renewable resource, and I wrote it, 
do not be lazy, read. 

4. Kak guarantee that I Otobaya course? 

No! Absolutely! Absolutely no, When we first started selling 
rate - while I was still able to provide guarantees 

to score reviews, to prove to everyone that the theme works, 
but now - no, no way! Your warranty - you, your desire, 

hard work, commitment - that guarantee it, I can not 
guarantee anything I can not and will not, often when a 
person 

writes me word guarantee, he wants me to take 
responsibility for his lazy ass over - No, I'm sorry 



5.Malenky advice, how to effectively master the 
course and see if it fits you at all. 

My experience learning heaps different people, still divided 
them into two types, this is a huge difference, the 

gap between the two approaches to learning, results in a 
huge gap in the success of these students. 

The first type: people with pure slave mentality, they need to 
stick, do not explain, do not need to seek understanding, just 
poke, push there, dick here. 

How he thinks: Suppose we make a template for Dora, and 
we need to write deksripshen, deskripshen - description of 

the site which comes out at the bottom under the link, his 
task - to give information about the page and encourage 

people to move to tyknut ie sayt. On asks me what write 
here, I explain what it is and I say write something that 
would 

please you, and you would make pereyti. On in a stupor, he 
can not think and can not even offer the option, he just 
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wants me to tell him that there napisat.Eto not right! 

The second type: The second type is often trying to organize 
all the information in the first place to understand how 

things work, and there are already having a solid foundation 
and framework - to batter me with questions and to 

increase their knowledge, for example of the first type, the 
second type, after hearing deskripshen what and why it is, 



would compare with my examples and offered his variant. Vot 
so you have to be, if you're so - I'll be glad to have you 

in the ranks of students. 

6. Tsena huge! Tc asshole, the course did not buy, but 
it's an asshole! Reviews delete it! 

Do not like the price - do not buy it, no one vparivaet, there 
is no hint of the imposition of the course, under 

the gun more so no one makes pokupat.Goiye hit and 
conclusions about the course of those who did not buy it - 

please do not post, I immediately call the moderators, all is 
removed, how can you talk about the course, not having 

been on FSU How we can talk about what you do not know, if 
you were not in the motivation section on the forum 

where dozens of success stories of students? I bought the 
course, learned, wrote otzyv.Ya a moderator section only 

CEO and section on "Work" where this topic -1 can not 
moderate. 

7. What I receive after payment? 

Education - after payment receive video / txt + access to the 
forum, watch / read/ do, have questions - ask, 

discuss - send to the forum, no - rasskazyvayu.Esli you read 
the topic that many people write that the chip in 

the forum, unnecessarily there is a lot of relevant info and all 
you happy pomoch. Ves free software data - paid 



counterparts shown in forume.Dostup forum and 
consultations Asik - unlimited. 

8.Skolko need to successfully quick Start? 

Then (in a week or another) will need $ 10-20 for vpn (both 
analog proxy / socks or Dedicated Server) and 

200-300 rubies for glanders. 

9. Kak Otobaya fast I / osvoyu course? 

Everything is individual, calculate and even about to say (to 
you) this time period may depend both on the 

human factor (your knowledge, experience) and on Yandex, 
which is quite nepredskazuem.Osnovyvayas on the 

experience of previous students gives dor $ 200 4 up to 30 
days after the publication of indeks.3-4 a pa usually climbs 

Dor ups are completely random, look here 
http://seobudget.ru/updates labeled SERP. 

10. Rynok forum. 

In our forum, which you can access after purchase - there is 
a market, as in any other forum, it is an integral 

part of the forum who wants to live, and in the end we are all 
in this forum for one reason - we ail want to make 

money someone else has earned, someone just nachinaet. V 
Unlike other forums - the market for FSU controlling me, 

he monopolizirovan. Kursy of its kind in the forum - / only sell 
and no other, their commercial activities in the forum - 



with me coordinate is not necessary , but if it is removed - so 
she does not belong here. 

Screenshots provided by actual customers of the 
service, featuring its primary ICQ contact point: 
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Blackhat SEO - it doesn't just pay the bills. 

This post has been reproduced from [8]Dancho 
Danchev's blog. Follow him [9]on Twitter. 

1. http://www.av-test.or g /fileadmin/pdf/avtest2013- 
03_search_en a inesjrialware_en a lish.pdf 

2. http://ddanchev.blo as pot.com/2010/07/samplin a- 
malicious-activitv-inside.html 

3. http://www.zdnet.com/blo a /securit v/c vbercriminals- 
promotin a -malware-friendlv-search-en a ines/3333 


4. http://www.zdnet.com/blo a /securitv/botnets-committin a- 
click-fraud-observed/1200 


























5. https://www. a oo a le.com/#outPut=search&sclient= psv- 
ab&a=site:ddanchev.blo as pot.com+%22blackhat+seo%22& 
oq=si 

te:ddanchev.blo as pot.com+%22blackhat+seo%22& a s_l = 

6. http://ddanchev.blo as pot.com/2009/06/peek-inside- 
mana a ed-blackhat-seo.html 

7. https://www. a oo a le.com/#output=search&sclient= psv- 
ab&a=site:ddanchev.blo as pot.com+blackhat+seo 

8. http://ddanchev.blo as pQt.com/ 

9. http://twitter.com/danchodanchev 
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A fairy tale? For many, yes, but for us - no! For us it is a 
reality that lasts for more than 3 years! 

Who are we? Family! A strong unrted family, in which 
you did not throw, and in which you will help achieve 
your goals. 

What we do? We are engaged in doorways. Forget 
about boring 100 sheet manuals that are written by 
people far removed from the search engine 
optimlzatonl We practice and therefore our information 
is always current. Our system of wages worked equally 
well in 2010 and now. 

Thanks to our hundreds of people have achieved their 
financial independence. By the way, not to be 
unfounded, look at a couple of reviews of our students 
(picture size): 


What's the ROI on Going to a Virtual Blackhat SEO 
School? (2013-04-17 23:45) 

For years, fraudulent or [l]purely malicious actors have 
been abusing the online advertising market, by [2]directly 
hijacking and redirecting [3]the revenue flow, or by 
[4]successfully and efficiently hijacking as much 
percentage of legitimate search traffic as possible, and 
monetizing it through the use of [5]blackhat SEO (search 
engine 

optimization) tactics/shady affiliate networks. 

[6]Monetizing the very monetization process? 

Standardizing the revenue generation, and knowledge 



spreading 


streams, achieving efficiencies in the process, and directly 
contributing to a new, this time better trained/educated 

generation of Blackhat SEO-ers? Someone he's knowingly or 
unknowingly on a mission. A mission with a brand. 

In this post, I'll profile a highly successful [7]blackhat SEO 
'school" that promises the Moon, but asks for nothing except 
$1,000 for the training course, which will turn you into a 
sophisticated blackhat SEO expert, netting you 

huge amounts of money. 

Operating in the open since 2010, the service is currently 
(2013) asking for $350, presumably to keep the new 

customers flow going. Since it's initial launch data, the 
business model has been relying on a loyal set of people who 

already "took" the course, and continue making money up to 
present day. A loyalty and happy customer "feedback" 

best demonstrated by featuring exclusive screenshots 
courtesy of the happy customers. 

Initial forum advertisement: 
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Welcome to the forum millionaires! So, I decided, now I will 
welcome the new students. 

And you know why? 

My course, and our forum for more than two years, and 
during that time has accumulated a huge pile of re- 



views with the statistics. Wondered how many of my 
students have earned over 2 years on my course? 

And it turned out that except cars, apartments, purely 
according to PP, pupils together earned 17 million rubles! 

And 

it is only those who have shown their statistics. And I think in 
2 years they could make a few more millions. (Figure 

is slightly inaccurate to 9 lines in a notebook I got tired and 
started to round + decided not to take into account the 

3,000,000 earnings per pupil) 

In two years, we have made dozens of millionaires in Russia, 
Ukraine and Belarus Their lives changed immedi¬ 
ately, as soon as they hit the family. People sitting in debt in 
a few months to buy a new car. 

People are sitting at their desks yesterday brought home two 
monthly salaries parents, and explained that it is 

unashamedly from the Internet, it is their earnings! 

People who are already my course have been very successful 
become even more successful. The forum is sta¬ 
ble enough people who earn a day 50-60 thousand rubles. 
This is not theoretical, not uncle in suits, this is the same 

young guys like you or me. 

Although I must admit, the forum is and uncle in suits for 30- 
40 years, primarily to get through doorways capi¬ 


ta! to support their business. 



And all these people realize that they are family, friends, and 
they willingly associate, dividing their experi¬ 
ences, secrets! Access to the course - it is a unique 
opportunity to touch the thought of successful people, to 
breathe 

the same air with them, get their energy and join the ranks 
of millionaires. 

As early as the year, the forum has two tech support, and 
username, people are few easy counseled hundreds 

of students and even if they did not do dory - would know 
what the perfect doorway 

BUT! They do work, make Dora always advise how to make 
your doorway even better answer the most stupid 

question, and will lead to the most stable earnings. 

Now, if you are reading these lines and think that $ 1000 for 
access and the opportunity to become a million¬ 
aire in 24\7 support from a support, for the opportunity to be 
in the new family is expensive, I never selling you access. 

1/1/e need people who value themselves, their money and 
time. If $ 1,000 seems to you a great price, then you 

will never become a millionaire from the internet and you 
simply do not want my family. 

imagine you paid $ 1,000 in the bank say, come back every 
day to ask questions and get a month - $ 100,000, 

it is tempting? Here's a bank - this is our forum. And 80 
pages of reviews stands surety for this bank. 



You may think, but what for me is all good topic no one will 
sell! 

And I grieve you, it's not the topic, not the scheme, not the 
holy grail, it's work. Work by a support forum and 

make it so simple that you will forget the times when you 
have not worked with doorways. 

A successful guys will charge you so much energy that the 
work will be for you the best thing in life. You're going to 

sleep at 4:00, waking up in the middle of the night with 
burning eyes, watch as your dorveychiki live there, and how 
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many thousands have already dripped while you were 
sleeping. 

Through it all the disciples, and I think they would give, and 
10 and 100 thousand dollars to get through it again. 

But there is a dump in a Public Forum, everything is - you 
say. 

And I'll tell you the story of how one day I lost the backup of 
offline and restored the forum 15 minutes ago 

from what it was last time. And it was a huge mistake! Lost 
about 50 messages, 12 topics and 5-6 blog posts! The 

disciples were indignant. On our forum mad update rate, and 
dump the last year and the relevance of information 

out there already in negative degrees and l am afraid that 
only harms doorways. 



But I can learn myself! Yes you can, spend a few years on 
independent learning. 

And you can put a time out and spend $ 1000 on an active 
training week and immediately makes the door¬ 
ways correctly. Once again, we are waiting for our club 
anonymous millionaires of people who know the value of 

money and his own time, who want to invest in yourself, 
earn, and not break your head against the wall, when there 

are people who will show how to get around. 

Course can be purchased on the preliminary interview in ICQ 
price - $ 1000. 

And remember, we are, we need special people, very few of 
them, they are people who are willing to invest in 

yourself and do not try to save yourself cheaply though. So I 
throw in ICQ to ignore anyone who asks me for a discount 

or credit. I understand that in spite of the 80-page review, 
you may be unsure if it will work with you. Therefore, we 

give a new guarantee manibeka. If two weeks you feel - that 
doorway - it's not yours, we will refund the money and 

pay the top 5 million rubles, for what you have spent your 
time! 

Frequently Asked Questions (FAQ) 

Good day, and now its time to answer all the questions a 
novice who wants to buy a course to dot the i, made to 



understand that he buys, he will get what may 
dobitsya.Nus's begin. 

l.Chem we do? 

Black seo.Dorvei.Dory are very flexible and tenacious tool for 
earnings, its flexibility due to the variety of topics 

and types of monetization, and vitality - the existence of PS, 
and how long will exist as long as the search engines 

will be using dory We produce traffic, ie the users, ie the 
people, the traffic is the blood in the veins of the internet, 
and this is the main advantage that dorveyschik unlike white 
SEOs can in a short time to break a lot more traffa a 

completely different subjects and to merge it back where it 
needs . in a simple version of all is: 

1. Registriruemsya an affiliate program, it gives you the 
choice of partner sites of some topics (topics vary from porn 

and finishing all kinds of divination), statistics (to track kollvo 
coming to your site, paid for kollvo, Colva who have come 
again). 

2. Delaem doorway, we find: 

- Thematic traffistye quality keys (which are appropriate to 
the site subject we took from PP) 

- Template 

- Text 

AH this is described in detail in the course and on the forum. 

3. Za/ivaem doorway to shell 



4. Zhdem 4.3 apa (an - update Yandex search results, also 
known as SERP, quite by chance, usually up to one week, 

sometimes more) 

5. Poluchaem traff and accordingly money 

Well this is just a simple and obvious option, work with SMS 
affiliate, to start - the fact that many small minded people to 
talk about the thousandth time of death doorways as 
income, just because of the changes in the SMS payment, 
it's 
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wrong, it's stupid, it's self-deception to deceive drugih.l as, 
say, we have learned to produce traffic, our traffic started to 
give Dora and now we have to redirect it somewhere ie 
merge and convert / convert into money, a lot of options: 

1. Partnerki with sms payment, the most obvious and as I 
wrote the best option to start. 

2. Partnerki pay-per-download and install the file, such PP a 
lot, and they are all different, from the fact that you are 
paying for the jump and the malicious Trojan or whether 
something like that, to quite formal type of games WORLD 

of-tanks, Yandex bars etc. and tp.lmeya large amounts of 
traffic (which is the second task dorveyschika, increase the 

volume of traffic) in the first and in the second option holders 
PP will take you with open arms and make bonuses. 

3.5voi online shopping and platniki. V this topic a little 
feedback from these guys, as many prefer to work with SMS 



and other PP, but byvali.Odin met some of the students at 
comrade serche, he did an Internet jewelry store and the 

problem was my student in the production of traffic, he 
quickly picked up, done and grabbed a piece of the profit. 

AH that I wrote just for you to understand, I teach mine 
traffic, targeted traffic from search engines, I would suggest 
the best methods of monetization, by which usually fight off 
the course, but never forget that you have a great 

opportunity to go and grab a piece of the traffa on desired 
topics with Yandex and merge where necessary 

2. Navernoe topic died, bought her so much, so long 
existed, much is competition? 

I am for ail the time of sale of the course has experienced 
the death of a thousand and one as the reward 

scheme, but that's amazing, for some reason ail those who 
want to - successfully earn dorah.Chto for competition - 

in do rah very high turnover, namely Dora always fly into the 
index ( Yandex search) and flew over, it's all backed by 

the characteristic features of the behavior dorveyschika and 
dorveyschik often tasting dough, he realized how easily 

make dory, does pack and walk yourself getting denyuzhki, 
leaving room for other results. 

3. Zachem you sell? 

That's what I do - called infobiznesom admit, when all this 
started, I such a word and znal.Est two concepts, 



with which you can ever accurately explain the infobiznesa, 
information and insider information autsayder.Kogda- 

long ago, when I was dramas and gathering information 
about them bit by bit on various forums -1 was an outsider, 

I was not available methods that can quickly lead to success, 
and everything had to be found by experiment, my first 

income from went after 3 months and a naked enthusiasm 
nadezhdy.Pokupaya course you get insider information, 

which is called the bat, straight to the kitchen where 
everything is cooked, I do not sell super flow sheet, I only 
give an opportunity and take it for a fee, sell their time and, 
in recent years, more and more nerves, which is why, in 
order to maintain this non-renewable resource, and I wrote it, 
do not be lazy, read. 

4. Kak guarantee that I Otobaya course? 

No! Absolutely! Absolutely no, When we first started selling 
rate - while I was still able to provide guarantees 

to score reviews, to prove to everyone that the theme works, 
but now - no, no way! Your warranty - you, your desire, 

hard work, commitment - that guarantee it, I can not 
guarantee anything I can not and will not, often when a 
person 

writes me word guarantee, he wants me to take 
responsibility for his lazy ass over - No, I'm sorry 

5. Maienky advice, how to effectively master the 
course and see if it fits you at all. 



My experience learning heaps different people, still divided 
them into two types, this is a huge difference, the 

gap between the two approaches to learning, results in a 
huge gap in the success of these students. 

The first type: people with pure slave mentality, they need to 
stick, do not explain, do not need to seek understanding, just 
poke, push there, dick here. 

How he thinks: Suppose we make a template for Dora, and 
we need to write deksripshen, deskripshen - description of 

the site which comes out at the bottom under the link, his 
task - to give information about the page and encourage 

people to move to tyknut ie sayt.On asks me what write 
here, / explain what it is and / say write something that 
would 

please you, and you would make pereyti.On in a stupor, he 
can not think and can not even offer the option, he just 
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wants me to tell him that there napisat.Eto not right! 

The second type: The second type is often trying to organize 
all the information in the first place to understand how 

things work, and there are already having a solid foundation 
and framework - to batter me with questions and to 

increase their knowledge, for example of the first type, the 
second type, after hearing deskripshen what and why it is, 

would compare with my examples and offered his variant. Vot 
so you have to be, if you're so - I'll be glad to have you 



in the ranks of students. 


6. Tsena huge! Tc asshole, the course did not buy, but 
it's an asshole! Reviews delete it! 

Do not like the price - do not buy it, no one vparivaet, there 
is no hint of the imposition of the course, under 

the gun more so no one makes pokupat.Goiye hit and 
conclusions about the course of those who did not buy it - 

please do not post, / immediately call the moderators, all is 
removed, how can you talk about the course, not having 

been on FSU How we can talk about what you do not know, if 
you were not in the motivation section on the forum 

where dozens of success stories of students? I bought the 
course, learned, wrote otzyv.Ya a moderator section only 

CEO and section on "Work" where this topic -1 can not 
moderate. 

7. What I receive after payment? 

Education - after payment receive video / txt + access to the 
forum, watch / read/ do, have questions - ask, 

discuss - send to the forum, no - rasskazyvayu.Esli you read 
the topic that many people write that the chip in 

the forum, unnecessarily there is a lot of relevant info and all 
you happy pomoch. Ves free software data - paid 

counterparts shown in forume.Dostup forum and 
consultations Asik - unlimited. 

8.Skoiko need to successfully quick Start? 



Then (in a week or another) will need $ 10-20 for vpn (both 
analog proxy / socks or Dedicated Server) and 

200-300 rubles for glanders. 

9. Kak Otobaya fast / / osvoyu course? 

Everything is individual, calculate and even about to say (to 
you) this time period may depend both on the 

human factor (your knowledge, experience) and on Yandex, 
which is quite nepredskazuem.Osnovyvayas on the 

experience of previous students gives dor $ 200 4 up to 30 
days after the publication of indeks.3-4 a pa usually climbs 

Dor ups are completely random, look here 
http://seobudget.ru/updates labeled SERP. 

10. Rynok forum. 

In our forum, which you can access after purchase - there is 
a market, as in any other forum, it is an integral 

part of the forum who wants to live, and in the end we are ail 
in this forum for one reason - we ail want to make 

money someone else has earned, someone just nachinaet. V 
Unlike other forums - the market for FSU controlling me, 

he monopolizirovan. Kursy of its kind in the forum - / only sell 
and no other, their commercial activities in the forum - 

with me coordinate is not necessary, but if it is removed - so 
she does not belong here. 

Screenshots provided by actual customers of the 
service, featuring its primary ICQ contact point: 
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Blackhat SEO - it doesn't just pay the bills. 

Updates will be posted as soon as new developments take 
place. 

1. http://www.av-test.or g /fileadmin/pdf/avtest2013- 
03_search_en a ines_malware_en a lish.pdf 

2. http://ddanchev.blo as pot.com/2010/07/samplin a- 
malicious-activitv-inside.html 

3. http://www.zdnet.com/blo a /securit v/c vbercriminals- 
promotin a -malware-friendlv-search-en a ines/3333 


4. http://www.zdnet.com/blo a /securitv/botnets-committin a- 
click-fraud-observed/1200 


























5. https://www. a oo a le.com/#outPut=search&sclient= psv- 
ab&a=site:ddanchev.blo as pot.com+%22blackhat+seo%22& 
oq=si 

te:ddanchev.blo as pot.com+%22blackhat+seo%22& a s_l = 

6. http://ddanchev.blo as pot.com/2009/Q6/peekdnside- 
mana a ed-blackhat-seo.html 

7. https://www. a aa a le.com/#output=search&sclient= psv- 
ab&a=site:ddanchev.blo as pot.com+blackhat+seo 
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Fake Microsoft Security Scam 


By Roy Tobin 

Recently we have seen an ncrease m fafce Mcrosoft scams whch function by tndong people into thmtong trial thee PC is 
inloclod W4h these types of scams two are a number of things to romember 

1. Microsoft will never call you telling you that your PC ia infected 

2. Never allow strangers to connect to your PC 

3. Do not give any credit card info to somebody claiming to be from Microsoft 

4. If in doubt, shut down your PC and call Webroot 

The current scam will display a webpage that n very santor to the one n Figure 1 There are a number of ways lo figure 
out that tins is a false atari The fast is that it's a wobsAo message and not a program the second is that locafeon oi the 
web s4e w* bo a random stung ol totters 

More detals Continue reading - 


MTWlrMdv |] I *C*6oe* ‘ QlMa Gc->pt -1 L3 lW>Jn rjs K#0* A|ffl|l • VMI 


iMM m Nfcaacae va»w RenonaL Rep* Sea** RMxs >ooa Threatfinmr i Tt^M raaaawi 

iaoM«e Sacw* Scan, re** anew* | Lear* a can**** 


SIMPLICITY 

STOP THE GUESSWORK 

SecureAnywhere 
User Protection 

ONE cense protects 
FOUR device* 



IS YOUR COMPANY EXPOSED’ 

Oei a compfenertary copy cl a new 
survey end team about the West 
WVO**rrw«*MM ttOjdngewe 
costs end enpacts 


oowmoao rut rruov now . 






























Summarizing Webroot's Threat Blog Posts for April 
( 2013 - 05-01 14 : 32 ) 

The following is a brief summary of all of my posts at 
Webroot's Threat Blog for April, 2013. You can subscribe to 

[l]Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 

01 . [2]DIY Java-based RAT (Remote Access Tool) spotted in 
the wild 

02 . [3]Spamvertised 'Re: Changelog as promised' themed 
emails lead to malware 

03 . [4]Cybercrime-friendly service offers access to tens of 
thousands of compromised accounts 

04 . [5]Madi/Mahdi/Flashback OS X connected malware 
spreading through Skype 

05 . [6]Cybercriminals selling valid 'business card' data of 
company executives across multiple verticals 

06 . [7]A peek inside the 'Zerokit/Okit/ringO bundle' bootkit 

07 . [8]DIY Skype ring flooder offered for sale 

08 . [9]Spamvertised 'Your order for helicopter for the 
weekend' themed emails lead to malware 

09 . [10]A peek inside a 'life cycle aware' underground 
market ad for a private keylogger 

10 . [ll]American Airlines 'You can download your ticket' 
themed emails lead to malware 



11 . [12]Cybercriminals offer spam-friendly SMTP servers for 
rent 

12 . [13]How mobile spammers verify the validity of 
harvested phone numbers - part two 

13 . [14]A peek inside a (cracked) commercially available 
RAT (Remote Access Tool) 

14 . [15]DIY Russian mobile number harvesting tool spotted 
in the wild 

15 . [16]DIY SIP-based TDoS tool/number validity checker 
offered for sale 

16 . [17]CAPTCHA-solving Russian email account registration 
tool helps facilitate cybercrime 

17 . [18]Historical OSINT -The'Boston Marathon explosion' 
and 'Fertilizer plant explosion in Texas' themed malware 
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campaigns 

18 . [19]Fake 'DFIL Delivery Report' themed emails lead to 
malware 

19 . [20]Cybercriminals impersonate Bank of America (BofA), 
serve malware 

20 . [21]Flow fraudulent blackhat SEO monetizers apply 
Quality Assurance (QA) to their DIY doorway generators 

21 . [22]Managed 'Russian ransomware' as a service spotted 
in the wild 



This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter. 

1. http://feeds2.feedburner.com/WebrootThreatBlo a 

2. http://blo a .webroot.com/2013/Q4/01/di v-i ava-based-rat- 
remote-access-tool-sootted-in-the-wild/ 

3. http://blo a .webroot.com/2013/04/02/spamvertised-re- 
chan aeloa -as-promised-themed-emails-lead-to-malware/ 

4. http://blo a .webroot.com/2013/04/03/cvbercrinne-friendl v- 
service-offers-access-to-tens-of-thousands-of-com o 

romised-accounts/ 

5. http://blo a .webroot.com/2013/04/Q4/madimahdif1ashback- 
os-x-connected-malware-soreadin a -throu a h-sk voe/ 

6. http://blo a .webroot.com/2013/04/Q5/cvbercriminals- 
sellin a -val id-business-card s-data-of-com panv-executives 

-across-multi pie-verticals/ 

7. http://blo a .webroot.com/2013/04/08/a-peek-inside-the- 
zerokitOkitrin a O-bundle-bootkit/ 

8. http://blo a .webroot.com/2013/04/Q9/div-sk v pe-rin a- 
flooder-offered-for-sale/ 

9. http://blo a .webroot.com/2013/Q4/10/spamvertised-vour- 
order-for-helicopter-for-the-weekend-themed-emails-l 

ead-to-malware/ 


10 . 




















































http://blo a .webroot.com/2013/04/ll/a-peek-inside-a-life- 
c vcle-aware-under a round-market-ad-fora-private 

ikeyjogg er/ 

11 . 

http://blo a .webroot.com/2013/04/12/american-airlines-vou- 

can-download-vour-ticket-themed-emails-lead-to 

-malware/ 

12. http://blo a .webroot.com/2013/Q4/15/cvbercriminals-offer- 
s pam-friendlv-smtp-servers-for-rent/ 

13. http://blo a .webroot.com/2013/Q4/16/how-mobile- 

s pammers-verifv-the-validitv-of-harvested-phone-numbers- 
par 

t-two/ 

14. http://blo a .webroot.com/2013/04/17/a-peek-inside-a- 
cracked-commerciallv-available-rat-remote-access-tool/ 

15. http://blo a .webroot.com/2013/Q4/18/div-russian-mobile- 
number-harvestin a -tool-spotted-in-the-wild/ 

16. http://blo a .webroot.com/2013/04/19/div-sip-based-tdos- 
toolnumber-valliditv-checker-offered-for-sale/ 

17. http://blo a .webroot.com/2013/Q4/23/captcha-solvin a- 
russian-email-account-re a istration-tool-helps-facilita 

te-cvbercrime/ 

18. http://blo a .webroot.com/2013/Q4/24/historical-osint-the- 
boston-marathon-explosion-and-ferti I izer-pl ant-ex 

























































plosion-in-texas-themed-mal ware-campai ans/ 


19. http://blo a .webroot.com/2013/04/25/fake-dhl-deliver v- 
re port-themed-emails-lead-to-malware/ 

20. http://blo a .webroot.com/2013/Q4/26/cvbercriminals- 
impersonate-bank-of-america-bofa-serve-malware/ 

21 . 


http://blo a .webroot.com/2013/Q4/29/how-fraudulent- 

blackhat-seo-monetizers-a pplv-q ualitv-assurance-qa-to 

-their-div-doorwa v-a enerators/ 


22. http://blo a .webroot.com/2013/04/3Q/mana a ed-russian- 
ransomware-as-a-service-spotted-in-the-wild/ 

23. http://ddanchev.blo as pot.com/ 

24. http://twitter.com/danchodanchev 
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Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook (2013-05-24 18:58) 

Over the last couple of days, multi-tasking cybercriminals 
have been spreading a "Facebook Profile Spy" campaign 

across Facebook, enticing users into installing a rogue 
Chrome extension, next to monetizing the campaign through 

an unethical pseudo-mobile marketing agency, known as 
Prizerally. 

Sample redirection chain: 

hxxps://www. facebook. com/pa ges/Hajme lrnjr/172683159561 
584?sk=app 

190322544333196 

&9DyG45 

-> 

hxxp://horribleapps. com 
-> 

hxxp://terribleapps. com 
-> 

hxxps://chrome. google, com/webstore/detai- 
l/oacggeibdmjpmecojanlbbngabki 
ncif 
-> 



hxxp://www. picapplication. com/profile/last html?l 
-> 

hxxp://flightdealsrome. net/?subid=4563 -> 
hxxp://lp.prizerally. com 
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facebook 

profile spy *' 0 

Now you can see who has 
been looking at your profile 
and pictures on Facebook! 


Get instant notifications when someone 
is looking at your profile page on the 
world’s most popular social network. 



Anna Meyers cheeked out your picture 


Molly Fitzgerald checked out your profile 

PH 16 minute* 1QO " 

yoc 

Rachel Snow checked out your profile 


I rMMktjilMlfll 


See All Notifications 




Domain names reconnaissance: 

horribleapps.com - 66.150.99.179 (picovator.com) - 

Email: Masterjxl2@gmail.com 

terribleapps.com - 66.150.99.21 (puzzledapps.com; 
testyapps.com) - Email: Masterjxl2@gmail.com 

picapplication.com - 66.150.99.179 - Email: 
joshuarhodesl989@gmail.com 

flightdealsrome.net - 174.140.17.100 












prizerally.com - 46.19.35.207 - Email: 
domains@mypengomobile.com 

We also got the following fraudulent and typosqutted 
domains known to have responded to the same IP 

(174.140.17.100) in the past: 

0418490819. com 
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20. tv 

2020testing.net 
aaacomtests.net 
aaacontests.net 
aaamathtests. net 
accordput.net 
aceonlinetest. com 
acti vetester. com 
adjustfit.net 
adjustpair.net 
adjusttie.net 
adslim.com 
adventuretester. com 
aidonlinesurveys. com 



airplanetester. com 
alignhang.net 
alignmake.net 
aliketester.com 
allosurvey.net 
amatuercumshots. org 
anaiyzequiz. net 
animalplanet. net 
animereak. tv 

answeringonlinesurveys. com 

apptitudeonlinetest. com 

arcosurvey.net 

attuneeven.net 

attunefix.net 

attunehang.net 

attunemake.net 

attunepair.net 

attunetune.net 

avizoon.com 


azdes.org 



bajarvideo. com 
balanceattune. net 
balancecollate. net 
balanceconnect. net 
balancecounteract. net 
balanceeven-steven.net 
balancefocus.net 



balancelevel.net 


balanceneutralize. net 
balancenullify. net 
balanceoverhaul.net 
balancerectify. net 
balancesymmetry. net 
balancetighten. net 
bargainonlinetest. com 
bensurvey.net 
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bestgetpaidonlinesurveys. com 
bestonlinesurveysformoney. com 
bestonlinesurveysforpay. com 
bestonlinesurveyswebsite. com 
bestprizedra w. com 
bestratedonlinesurveys. com 
bestwebquiz.net 
bigpaidonlinesurveys. com 
bitsonlinetest. com 
blackgaygalleries. com 



bletsurvey.net 
blosurvey.net 
bobmarly.com 
bollywoodringtonessite. com 
bret.com 
bringgrind.net 
bringtie.net 
buiibabear.com 
buildonlinesurveys. com 
canceifix.net 
cansafeiist. com 
carquestionswebsite. com 
censurvey.net 
challengequizonline. net 
cheaponiinetests. com 
chinabestlink. com 
ciickbusinessinfo. net 
coinsurvey, net 
coifegeoniinetests. com 


commercenetweb. com 



compeitionstowinprizes. com 
coolfreequizzes. com 
cooponmom.net 
countest.net 
couponso.net 
crazyonlinequizzes. com 
creativelinkusa. com 
cuteonlinequizzes. com 
descargapeliculas. com 
dfedex.com 
didiwinaprize. net 
discountonlinetests. com 
dogquizzes.net 
dotnetiink.com 
do wnloadsmo vies, com 
easyoniinetesting. com 
eicosurvey.net 
employersonlinetest. com 
engfishoniinetest. com 
etestoniinetesting. com 
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examxonlinetesting. com 
exposurvey.net 
farbestsurvey. net 
fastrackonlinesurveys. com 
fastsurvey world, net 
fbso. com 

findonlinesurveysforcash. com 
fJetsurvey.net 
fnny video, com 
fontest.net 

free-live-xxx-cams. com 
friendsonlinequiz. com 
fuck-me-no w. com 
funonlinequizsurvey. com 
funonlinequizteen. com 
funonlinequizzesforkids. com 

gay-sex-pics-porn-pictures-gay-sex-porn-gay-sex-pics- 
gay. com 


generalonlinequiz. com 



generatest.net 
geocites. com 
getpageranks. com 
googledark. com 
googlemx.com 
googletraductor. com 
googleunclesam. com 
googllemaps. com 
gooyoutube.com 
granny, ca 
gsd.com 
gyoutube.com 
hack-facebook. com 
hkatb. adsldns. org 
hohotmail.com 
holder, me 

holiday tra velpassport. net 
hotmailm.com 
hotmauil.com 
hpforsale. org 



internet-questions, net 

ioutube.com 

jkert. com 

joinsurvey.net 

kemert. com 

kerosurvey.net 

kogregate.com 

kurosurvey.net 

landminesurvey. net 

latinswomen. com 

ietsurvey.net 

lolita. org 
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io veonlinequiz. com 
marilyn. com 
medialinksite. com 
mensurvey.net 
mfacebook.com 
miniclip, cl 
minsurvey.net 



mobiasbank. com 


monicatubes. com 
mo vietickits. com 
msdip. com 
mycosurvey. net 
myford.com 
notyoutube.com 
ohotmail.com 
oijwef.com 

onlinemedsforall. net. in 

oniinequizze. com 

outsurvey.net 

pharmaoniine. net. in 

pina.com 

pollings.net 

poiiinois.net 

poliinoise.net 

poiiison.net 

poiiist.net 

pollower.net 



pollquestionsitewhdh. com 
pollustry.net 
pollutan.net 
poutsurvey.net 
question-answer-website, com 
questionansweringwebsites. com 
questionanswerstudy. net 
questionexams. net 
questionforthequiz. com 
questionnairesamplesurvey. com 
questionpersonalityquiz. net 
questionpollguide. net 
questionquizsite. net 
questionquizworld. net 
questionsforasurvey. com 
questionsiteseil. com 
questionssurveys. com 
questionsurveyfriend. com 
quicksurvey direct, net 
quizbull.net 



quizbulla.net 

quizbullah.net 

quizbullen.net 
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quizbulles.net 

quizbust.net 

quizbustav.net 

quizbustin.net 

quizbustle.net 

quizbustom.net 

quizbustry.net 

quizin.net 

quizingles.net 

quizingly.net 

quizquestionsite. net 

quizzeri.net 

quizzerial.net 

quizzeris. net 

quizzerish.net 

redirecto fferpage. com 



reinsurvey.net 
rentube.com 
rep.ppmate.com 
repeatest.net 
ruralaresdubai. net. in 
sappy girls, com 
scensurvey.net 
security tube, com 
seehomevids. com 
stratest.net 
sumotorrents. com 
sunsurvey.net 
superquestionquiz. net 
supersurveygroup. net 
supersurveysite. net 
survey-masters, net 
2surveyablsoute. net 
surveyaboutyou. net 
surveyacout. net 
surveyalot.net 



surveyanyone. net 

surveyask.net 

surveyassistant. net 

surveylatest.net 

surveyorster. net 

susan.com 

testabled.net 

testables.net 

testabling.net 

testand.net 

testants.net 

testatus.net 

testaura.net 

testaustraiia. com 
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testeradjective. com 
testeradvice. com 
testeraid. com 
testic.net 


testical.net 



testige.net 
testigious.net 
testingacacdemy. net 
testingadvantage.net 
testingadvice. net 
testingadwords. net 
testingagainagain. net 
testingame.net 
testion.net 
testivate.net 
testseif.net 
tetsurvey.net 
thegreatanswer. com 
thenamequiz. net 
thequestionpoii. net 
thesurveyresearch, net 
thosurvey.net 
tmobilw.com 
toutsurvey.net 
toyotest.net 



tsurvey.net 
tube99. com 
tunehang.net 
tunelevel.net 
tunemake.net 
tuneoppose.net 
tuneparity.net 
tuneservice.net 
tuneset.net 
tunesteady.net 
tunetie.net 
twittee. com 
union bank, org 
unsurvey.net 
update.ppmate. com 
usagreatlink. com 
vacationcellular. net 
vintagetownbazar. co. 
watchyoutube. com 
webwordquiz. net 



weighfit.net 

weighmake.net 

weighmend.net 

weighparity.net 

weighpolish.net 
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weightighten. net 
wesurvey.net 
wickapidea. com 
wickepidia.com 
worldcityonline, com 
wuizforcash. com 
www-yuotube. com 
www. ammoneta. com 
www. downloadsmovies. com 
www. foxchannel. com 
www. hack-facebook. com 
www.securitytube. com 
www. tmobilw. com 
www.windycitywatchdog.com 



www.youtrube. com 

www.youtubemobile. com 

www.youtuve.com 

wwwquestionnairesurveys. com 

wwwtoutube. com 

yahoomailk. com 

yaotube.com 

yautube.com 

yootube.com 

yotobe.com 

youbube.com 

yourhomesurvey. net 

yourownsurvey.net 

yoursurveysite. net 

yourtopsite.com 

youtsurvey.net 

youtubemobile. com 

youtubi. com 

youtuhe.com 

youtuve.com 



ypoutube.com 

yuvuty.com 

zerosurvey.net 
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As well as the following malicious MD5s phoning back 
to the same IP in the past: 

[1 ]MD5: e315a877c58773ce82cc32fcl92bdfa5 

[2 ]MD5: 1 cd4c2a2b2143689b 185e064dc6c331 c 

[3JMD5: 26c5102e75daf3d3c696ad719bc55ad4 

Prizerally's scheme is fairly simple: 

Service costs £3 per question played and a £4,50 sign up fee 
applies. You will receive an additional £1.50 charge 
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for a reminder message tomorrow. Winners will be contacted 
every first businessweek of the month, all question entries 
must be received before 00.00 on the last day of the month. 
This is not a subscription service. Minimum age 

18+ with bill payer's permission. One prize available per 
service per month. Customer service: call 0800 408 0796, 

email uk@prizerally.com or visit the website: 
www.prizerally.com. Play the game on your mobile. The 
winner will be 


selected among all participants in the first business week of 
every month. When participating you acknowledge that 

you agree to the terms & conditions, you are a resident of 
the UK, 18 years or older and authorized account holder 

and/or that you have the consent of the accounthoider. £3 
per question. This service is a product of Mypengo Mobile. 

Free entry method: send an email with your name, 
phonenumber, and prize you want to win to 
info@prizerally. com. 

Prizerally is not affiliated with, sponsored by or endorsed by 
any of the listed products or retailers. Trademarks, 

service marks, logos (including, without limitation, the 
individual names of products and retailers) are the property 

of their respective owners. When you see one of our 
Products on the Internet, you can start receiving our content 

via SMS (i.e. text message). You can enter your mobile 
telephone number on the landing pages via the Internet 

and confirm your registration. You hereby agree to the Terms 
and Conditions. Prizerally charges you £3,00 per 

question played. Each sent answer will be followed by a new 
question. If you stop sending answers you will not 

receive any more messages. Once stopped you will receive 
one extra £1,50 reminder message. To stop this message, 

simply text STOP to 85150. From this moment on you have 
to decide on your own if you will continue to play for 



more points. By answering a question, you will receive a new 
messages containing a new puzzei/question also 

chargeble at £ 1,50 per text message received. When you 
stop sending answers the game will end. 02 and Orange 

customers can only spend the maximum amount of £ 30.00 
a day. This spending cap applies for one day, so the next 

day these customers are eligble to play again. The maximum 
amount you can spend on our Prizerally service is £ 99.00. 

Facebook has been notified. The rogue Chrome extension has 
already been removed. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5Jon Twitter. 
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Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook (2013-05-24 18:58) 

Over the last couple of days, multi-tasking cybercriminals 
have been spreading a "Facebook Profile Spy" campaign 

across Facebook, enticing users into installing a rogue 
Chrome extension, next to monetizing the campaign through 

an unethical pseudo-mobile marketing agency, known as 
Prizerally. 

Sample redirection chain: 

hxxps://www. facebook. com/pages/Hajmcl rnjr/17268315956 
1584?sk=app 

190322544333196 

&9DyG45 

-> 

hxxp://horribleapps. com 
-> 

hxxp://terribleapps. com 
-> 

hxxps://chrome. google, com/webstore/detai- 



l/oacggeibdmjpmecojanlbbngabki 

ncif 

-> 

hxxp://www. picapplication. com/profile/last. html?l 
-> 

hxxp://flightdealsrome.net/?subid=4563 -> 
hxxp://lp.prizerally. com 
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Domain names reconnaissance: 

horribleapps.com - 66.150.99.179 (picovator.com) - 

Email: Masterjxl2@gmail.com 

terribleapps.com - 66.150.99.21 (puzzledapps.com; 
testyapps.com) - Email: Masterjxl2@gmail.com 

picapplication.com - 66.150.99.179 - Email: 
joshuarhodesl989@gmail.com 

flightdealsrome.net - 174.140.17.100 

prizerally.com - 46.19.35.207 - Email: 
domains@mypengomobile.com 

We also got the following fraudulent and typosqutted 
domains known to have responded to the same IP 

(174.140.17.100) in the past: 


0418490819.com 
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20. tv 

2020testing.net 

aaacomtests.net 

aaacontests.net 

aaamathtests.net 

accordput.net 

aceonlinetest. com 

activetester. com 

adjustfit.net 

adjustpair.net 

adjusttie.net 

adslim.com 

adventuretester. com 

aidonlinesurveys. com 

airplanetester. com 

alignhang.net 

aiignmake.net 


aliketester. com 



allosurvey.net 
amatuercumshots. org 
analyzequiz.net 
animalplanet. net 
animereak. tv 

answeringonlinesurveys. com 

apptitudeonlinetest. com 

arcosurvey.net 

attuneeven.net 

attunefix.net 

attunehang.net 

attunemake.net 

attunepair.net 

attunetune.net 

avizoon.com 

azdes.org 

bajarvideo. com 

balanceattune.net 

balancecollate. net 


balanceconnect. net 



balancecounteract. net 


balanceeven-steven.net 
balancefocus.net 
balancelevel.net 
balanceneutralize. net 
balancenullify. net 
balanceoverhaul.net 
balancerectify. net 
balancesymmetry. net 
balancetighten. net 
bargainonlinetest. com 
bensurvey.net 
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bestgetpaidonlinesurveys. com 
bestonlinesurveysformoney. com 
bestonlinesurveysforpay. com 
bestonlinesurveyswebsite. com 
bestprizedra w. com 
bestratedonlinesurveys. com 
bestwebquiz.net 



bigpaidonlinesurveys. com 

bitsonlinetest. com 

blackgaygalleries. com 

bletsurvey.net 

blosurvey.net 

bobmarly.com 

bollywoodringtonessite. com 

bret.com 

bringgrind.net 

bringtie.net 

builbabear.com 

buildonlinesurveys. com 

cancelfix.net 

cansafeiist. com 

carquestionswebsite. com 

censurvey.net 

challengequizonline. net 

cheaponiinetests. com 

chinabestlink. com 


clickbusinessinfo. net 



coinsurvey, net 
collegeonlinetests. com 
commercenetweb. com 
compeitionstowinprizes. com 
coolfreequizzes. com 
cooponmom.net 
countest.net 
couponso.net 
crazyonlinequizzes. com 
creativelinkusa. com 
cuteonlinequizzes. com 
descargapeliculas. com 
dfedex.com 
didiwinaprize. net 
discountonlinetests. com 
dogquizzes.net 
dotnetlink.com 
do wnloadsmo vies, com 
easyonfinetesting. com 
eicosurvey.net 



employersonlinetest. com 
englishonlinetest. com 
etestonlinetesting. com 
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examxonlinetesting. com 
exposurvey.net 
farbestsurvey. net 
fastrackonlinesurveys. com 
fastsurvey world, net 
fbso. com 

findonlinesurveysforcash. com 
fletsurvey.net 
fnny video, com 
fontest.net 

free-live-xxx-cams. com 
friendsonlinequiz. com 
fuck-me-no w. com 
funonlinequizsurvey. com 
funonlinequizteen. com 
funonlinequizzesforkids. com 



gay-sex-pics-porn-pictures-gay-sex-porn-gay-sex-pics- 
gay. com 

generalonlinequiz. com 
generatest.net 
geocites. com 
getpageranks. com 
googledark. com 
googlemx.com 
googletraductor. com 
googleunclesam. com 
googllemaps. com 
gooyoutube.com 
granny.ca 
gsd.com 
gyoutube.com 
hack-facebook. com 
hkatb. adsldns. org 
hohotmail.com 
holder, me 

holiday tra velpassport. net 



hotmailm.com 


hotmauil.com 

hpforsale. org 

internet-questions, net 

ioutube.com 

jkert. com 

joinsurvey. net 

kemert. com 

kerosurvey.net 

kogregate.com 

kurosurvey.net 

landminesurvey. net 

latinswomen. com 

ietsurvey.net 

lolita. org 
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io veonlinequiz. com 
marilyn. com 
medialinksite. com 


mensurvey.net 



mfacebook.com 


miniclip, cl 
minsurvey.net 
mobiasbank. com 
monicatubes. com 
mo vietickits. com 
msdip. com 
mycosurvey. net 
myford.com 
notyoutube.com 
ohotmail.com 
oijwef.com 

onlinemedsforall. net. in 
oniinequizze. com 
outsurvey.net 
pharmaonline. net. in 
pina.com 
pollings.net 
pollinois.net 
pollinoise.net 



pollison.net 

pollist.net 

pollower.net 

poifquestionsitewhdh. com 
pollustry.net 
pollutan.net 
poutsurvey.net 
question-answer-website, com 
questionansweringwebsites. com 
questionanswerstudy. net 
questionexams. net 
questionforthequiz. com 
questionnairesamplesurvey. com 
questionpersonalityquiz. net 
questionpollguide. net 
questionquizsite. net 
questionquizworld. net 
questionsforasurvey. com 
questionsiteseii. com 
questionssurveys. com 



questionsurvey friend, com 

quicksurveydirect, net 

quizbuii.net 

quizbulla.net 

quizbullah.net 

quizbullen.net 
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quizbulles.net 

quizbust.net 

quizbustav.net 

quizbustin.net 

quizbustle.net 

quizbustom.net 

quizbustry.net 

quizin.net 

quizingles.net 

quizingly.net 

quizquestionsite. net 

quizzeri.net 

quizzerial.net 



quizzeris. net 
quizzerish.net 
redirectofferpage. com 
reinsurvey.net 
rentube.com 
rep.ppmate.com 
repeatest.net 
ruralaresdubai. net. in 
sappy girls, com 
scensurvey.net 
security tube, com 
seehomevids. com 
stratest.net 
sumotorrents. com 
sunsurvey.net 
superquestionquiz. net 
supersurveygroup. net 
supersurveysite. net 
survey-masters, net 
2surveyablsoute. net 



surveyaboutyou. net 

surveyacout. net 

surveyalot.net 

surveyanyone. net 

surveyask.net 

surveyassistant. net 

surveylatest.net 

surveyorster. net 

susan.com 

testabled.net 

testables.net 

testabling.net 

testand.net 

testants.net 

testatus.net 

testaura.net 

testaustralia. com 
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testeradjective. com 


testeradvice. com 



teste raid, com 


testic.net 

testical.net 

testige.net 

testigious.net 

testingacacdemy. net 

testingadvantage.net 

testingadvice. net 

testingadwords. net 

testingagainagain. net 

testingame.net 

testion.net 

testivate.net 

testseif.net 

tetsurvey.net 

thegreatanswer. com 

thenamequiz. net 

thequestionpofl. net 

thesurvey research, net 

thosurvey.net 



tmobilw.com 


toutsurvey.net 

toyotest.net 

tsurvey.net 

tube99. com 

tunehang.net 

tunelevel.net 

tunemake.net 

tuneoppose.net 

tuneparity.net 

tuneservice.net 

tuneset.net 

tunesteady.net 

tunetie.net 

twittee. com 

union bank, org 

unsurvey.net 

update, ppmate. com 

usagreatlink. com 


vacationcellular. net 



vintageto wn bazar co. in 

watchyoutube. com 

web wordquiz. net 

weighfit.net 

weighmake.net 

weighmend.net 

weighparity.net 

weighpolish.net 
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weightighten. net 
wesurvey.net 
wickapidea. com 
wickepidia.com 
worldcityonline, com 
wuizforcash. com 
www-yuotube. com 
www. ammoneta. com 
www. downloadsmovies. com 
www. foxchannel. com 


www. hack-facebook. com 



www.securitytube. com 

www. tmobilw. com 

www.windycitywatchdog.com 

www.youtrube. com 

www.youtubemobile. com 

www.youtuve.com 

wwwquestionnairesurveys. com 

wwwtoutube. com 

yahoomailk. com 

yaotube.com 

yautube.com 

yootube.com 

yotobe.com 

youbube.com 

yourhomesurvey. net 

yourownsurvey.net 

yoursurveysite. net 

yourtopsite.com 

youtsurvey.net 

youtubemobile. com 



youtubi. com 

youtuhe.com 

youtuve.com 

ypoutube.com 

yuvuty.com 

zerosurvey.net 
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As well as the following malicious MD5s phoning back 
to the same IP in the past: 

[1 ]MD5: e315a877c58773ce82cc32fcl 92bdfa5 

[2 ]MD5: 1 cd4c2a2b2143689b 185e064dc6c331 c 

[3]MD5: 26c5102e75daf3d3c696ad719bc55ad4 

Prizerally's scheme is fairly simple: 

Service costs £3 per question played and a £4,50 sign up fee 
applies. You will receive an additional £1.50 charge 

378 

for a reminder message tomorrow. Winners will be contacted 
every first businessweek of the month, all question entries 
must be received before 00.00 on the last day of the month. 
This is not a subscription service. Minimum age 


18+ with bill payer's permission. One prize available per 
service per month. Customer service: call 0800 408 0796, 

email uk@prizeraily.com or visit the website: 
www.prizerally.com. Play the game on your mobile. The 
winner will be 

selected among all participants in the first business week of 
every month. When participating you acknowledge that 

you agree to the terms & conditions, you are a resident of 
the UK, 18 years or older and authorized account holder 

and/or that you have the consent of the accountholder. £3 
per question. This service is a product of Mypengo Mobile. 

Free entry method: send an email with your name, 
phonenumber, and prize you want to win to 
info@prizerally. com. 

Prizerally is not affiliated with, sponsored by or endorsed by 
any of the listed products or retailers. Trademarks, 

service marks, logos (including, without limitation, the 
individual names of products and retailers) are the property 

of their respective owners. When you see one of our 
Products on the Internet, you can start receiving our content 

via SMS (i.e. text message). You can enter your mobile 
telephone number on the landing pages via the Internet 

and confirm your registration. You hereby agree to the Terms 
and Conditions. Prizerally charges you £3,00 per 

question played. Each sent answer will be followed by a new 
question. If you stop sending answers you will not 



receive any more messages. Once stopped you will receive 
one extra £1,50 reminder message. To stop this message, 

simply text STOP to 85150. From this moment on you have 
to decide on your own if you will continue to play for 

more points. By answering a question, you will receive a new 
messages containing a new puzzei/question also 

chargeble at £ 1,50 per text message received. When you 
stop sending answers the game will end. 02 and Orange 

customers can only spend the maximum amount of £ 30.00 
a day. This spending cap applies for one day, so the next 

day these customers are eligble to play again. The maximum 
amount you can spend on our Prizerally service is £ 99.00. 

Facebook has been notified. The rogue Chrome extension has 
already been removed. 

Updates will be posted as soon as new developments take 
place. 
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A Peek Inside the Russian Underground Market for 
Fake Documents/IDs/Passports (2013-05-25 18:52) 

[1] Fake IDs/fake passports have always been a hot 

[ 2 ] commodity within the cybercrime ecosystem. 

Thanks to their general availability and affordable prices - 
naturally based on the quality that a potential cybercrimi¬ 
nal/fraudster is seeking - the vendors behind them continue 
undermining the trust chain that society/market thrives 

on, by empowering cybercriminals and fugitives with new IDs 
to be later on used in related fraudulent activities. 

In this post, I'll sample fraudulent activity on the Russian 
underground marketplace, feature exclusive screen- 

shots of fake passports currently offered for sale, and discuss 
how relatively low profile cybercriminals have been 

literally generating fake (Russian) passports for years, 
primarily relying on DIY passport/stamp generating tools. 

Sample screenshots of the inventory of available 
fake passports for multiple countries: 
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Affected countries include: Russia, Belarus, Canada, 
Germany, Denmark, Finland, Israel, Netherlands (Holland), 

Norway, Romania, United Kingdom, United States, Australia, 
Ukraine. The prices vary between $20-30, and according 

to the vendors, use real people's data/photos etc. 

It's also worth emphasizing on the fact that, of all the 
countries, Russia's underground marketplace for fake 

documents is perhaps the most vibrant one. Next to high- 
quality fake documments/IDs/passports, they're naturally 

the cheap alternatives, which Russian fraudsters have been 
literally generating for years, relying on DIY (do-it-yourself) 

tools/stamp editors like these: 
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Thanks to the demand for such kind of underground market 
assets, I'm certain that that market would continue 

flourishing, and would eventually reach a stage where the 
vendors would start sacrificing OPSEC (Operational 

Security) in an attempt to reach customers from virtually 
every country. With localization on demand services 

proliferating, next to the ubiquitous for the cybercrime 
ecosystem, affiliate based revenue-sharing models, vendors 

of fake documents/IDs/passports, have virtually everything 
that they need at their disposal, if they were to start 

targeting the international audience. 

This post has been reproduced from [3]Dane ho 
Danchev's blog. Follow him [4]on Twitter. 

1. http://www.team- 

c vmru.com/Readin a Room/White pa pers/2 010/Fa kelDJnJ:he_ 
Underg round Econom y. pdf 

2. http://ddanchev.blo as pot.com/2Qll/10/exposin a -market- 
for-stolen-credit-cards.html 

3. http://ddanchev.blo as pot.com/ 

4. http://twitter.com/danchodanchev 
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A Peek Inside the Russian Underground Market for 
Fake Documents/IDs/Passports (2013-05-25 18:52) 

[1] Fake IDs/fake passports have always been a hot 

[ 2 ] commodity within the cybercrime ecosystem. 

Thanks to their general availability and affordable prices - 
naturally based on the quality that a potential cybercrimi- 

nal/fraudster is seeking - the vendors behind them continue 
undermining the trust chain that society/market thrives 

on, by empowering cybercriminals and fugitives with new IDs 
to be later on used in related fraudulent activities. 

In this post, I'll sample fraudulent activity on the Russian 
underground marketplace, feature exclusive screen- 

shots of fake passports currently offered for sale, and discuss 
how relatively low profile cybercriminals have been 

literally generating fake (Russian) passports for years, 
primarily relying on DIY passport/stamp generating tools. 

Sample screenshots of the inventory of available 
fake passports for multiple countries: 
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Affected countries include: Russia, Belarus, Canada, 
Germany, Denmark, Finland, Israel, Netherlands (Holland), 

Norway, Romania, United Kingdom, United States, Australia, 
Ukraine. The prices vary between $20-30, and according 

to the vendors, use real people's data/photos etc. 

It's also worth emphasizing on the fact that, of all the 
countries, Russia's underground marketplace for fake 

documents is perhaps the most vibrant one. Next to high- 
quality fake documments/IDs/passports, they're naturally 

the cheap alternatives, which Russian fraudsters have been 
literally generating for years, relying on DIY (do-it-yourself) 

tools/stamp editors like these: 

434 


K 

435 


K 

436 




Thanks to the demand for such kind of underground market 
assets, I'm certain that that market would continue flour- 


ishing, and would eventually reach a stage where the 
vendors would start sacrificing OPSEC (Operational Security) 

in an attempt to reach customers from virtually every 
country. With localization on demand services proliferating, 

next to the ubiquitous for the cybercrime ecosystem, affiliate 
based revenue-sharing models, vendors of fake doc¬ 
uments/IDs/passports, have virtually everything that they 
need at their disposal, if they were to start targeting the 

international audience. 

1. http://www.team- 

c vmru.com/Readin a Room/White pa pers/201Q/FakelD in the 
Underg roundEconom v. pdf 

2. http://ddanchev.blo as pot.com/2011/10/exposin a -market- 
for-stolen-credit-cards.html 
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Summarizing Webroot's Threat Blog Posts for May 
(2013-06-04 15:24) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for May, 2013. You can 
subscribe to 













[2]Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 

01. [3]FedWire 'Your Wire Transfer' themed emails lead to 
malware 

02. [4]A peek inside a CVE-2013-0422 exploiting DIY 
malicious Java applet generating tool 

03. [5]New IRC/HTTP based DDoS bot wipes out competing 
malware 

04. [6]New version of DIY Google Dorks based mass website 
hacking tool spotted in the wild 

05. [7]Citibank 'Merchant Billing Statement' themed emails 
lead to malware 

06. [8]Fake Amazon 'Your Kindle E-Book Order' themed 
emails circulating in the wild, lead to client-side exploits and 
malware 

07. [9]Cybercriminals impersonate New York State's 
Department of Motor Vehicles (DMV), serve malware 

08. [lOJCybercriminals offer FITTP-based keylogger for sale, 
accept Bitcoin 

09. [HJNewly launched E-shop for hacked PCs charges 
based on malware 'executions' 

10. [12]New subscription-based 'stealth Bitcoin miner' 
spotted in the wild 

11. [13]Fake 'Free Media Player' distributed via rogue 'Adobe 
Flash Player HD' advertisement 
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12. [14]Newly launched 'Magic Malware' spam campaign 
relies on bogus 'New MMS' messages 

13. [15]Commercial 'form grabbing' rootkit spotted in the 
wild 

14. [16]DIY malware cryptor as a Web service spotted in the 
wild - part two 

15. [17]CVs and sensitive info soliciting email campaign 
impersonates NATO 

16. [18]New commercially available DIY invisible Bitcoin 
miner spotted in the wild 

17. [19]Fake 'Export License/Payment Invoice' themed 
emails lead to malware 

18. [20]Compromised Indian government Web site leads to 
Black Hole Exploit Kit 

19. [21]Cybercriminals resume spamvertising Citibank 
'Merchant Billing Statement' themed emails, serve malware 

20. [22]Marijuana-themed DDoS for hire service spotted in 
the wild 

21. [23]Fake 'Vodafone U.K Images' themed malware serving 
spam campaign circulating in the wild 

This post has been reproduced from [24]Dancho 
Danchev's blog. Follow him [25Jon Twitter. 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 





3. http://blo a .webroot.com/2013/05/01/fedwire-vour-wire- 
transfer-themed-emails-lead-to-malware/ 

4. http://blo a .webroot.com/2013/05/02/a-peekHnside-a-cve- 
2013-0422-exoloitin a -div-mal cious- ava-a o plet- aen 

eratin a -tool/ 

5. http://blo a .webroot.com/2013/05/Q3/new-irchttp-based- 
ddos-bot-wipes-out-competin a -malware/ 

6. http://blo a .webroot.com/2013/05/Q6/new-version-of-di v- 
a oo a le-dorks-based-mass-website-hackin a -tool-sootte 

d-in-the-wild/ 

7. http://blo a .webroot.com/2013/05/Q7/citibank-merchant- 
billin a -statement-themed-emails-lead-to-malware/ 

8. http://blo a .webroot.com/2013/05/Q8/fake-amazon-vour- 
kindle-e-book-order-themed-emails-circulatin a -in-the- 

wild-lead-to-client-side-exploits-and-malware/ 

9. http://blo a .webroot.com/2013/05/Q9/cvbercriminals- 
impersonate-new-vork-states-department-of-motor-vehicie 

s-dmv-serve-malware/ 

10. http://blo a .webroot.com/2013/Q5/10/cvbercriminals- 
offer-http-based-ke vloaa er-for-sale-accept-bitcoin/ 

11 . 

http://blo a .webroot.com/2013/Q5/13/newlv-launched-e-sho p- 

for-hacked-pcs-char a es-based-on-malware-execut 


ions/ 





























































12. http://blo a .webroot.com/2013/05/14/new-subscription- 
based-stealth-bitcoin-mmer-spotted-in-the-wild/ 

13. 

http://blo a .webroot.com/2013/Q5/15/fake-free-media-pla ver- 

distributed-via-ro a ue-adobe-flash-plaver-hd-a 

dvertisement/ 

14. 

http://blo a .webroot.com/2013/05/17/newlv-launched-ma a ic- 
ma I wa re-spa m-ca mpa i a n-rel i es-on-bo a u s-n ew-mms-m 

essa aes/ 

15. http://blo a .webroot.com/2013/05/17/commercial-form- 
g rabbi n a -rootkit-spotted-in-the-wi Id/ 

16. http://blo a .webroot.com/2013/05/2Q/div-malware- 
cry ptor-as-a-web-service-spotted-in-the-wild-part-two/ 

17. http://blo a .webroot.com/2013/Q5/21/cvs-and-sensitive- 
info-solicitin a -email-campai a n-impersonates-nato/ 

18. http://blo a .webroot.com/2013/05/22/new-comnnerciall v- 
available-div-invisible-bitcoin-miner-spottedHn-the- 

wi Id/ 

19. http://blo a .webroot.com/2013/Q5/23/fake-export- 
license pa vment-invoice-themed-emails-lead-to-malware/ 

20 . 

http://blo a .webroot.com/2013/05/24/compromised-indiian- 

g ovemment-web-site-leads-to-black-hole-exploit-k 
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21. http://blo a .webroot.com/2013/05/29/cvbercrinninals- 
resume-s pamvertsin a-c iti ban R-merchant-biii lin g -statemen 

t-themed-emails-serve-malware/ 

22. http://blo a .webroot.com/2013/05/3Q/mari i uana-themed- 
ddos-for-hiire-service-spotted-in-the-wild/ 

23. 

http://blo a .webroot.com/2013/05/31/fake-vodafone-u-k- 

ima a es-themed-malware-serviin a-s pam-campai a n-circul 

atin a -in-the-wild/ 

24. http://ddanchev.blo as pot.com/ 

25. http://twitter.com/danchodanchev 
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Malware-Serving "Who's Viewed Your Facebook 
Profile" Campaign Spreading Across Facebook 

( 2013 - 06-10 15 : 07 ) 

A currently ongoing Facebook spreading malware-serving 
campaign, entices users into downloading and executing 

a malicious executable, pretending to be a 11 Who's Viewed 
Your Facebook Profile" extension. In reality though, the 
executable, part of a campaign that's been ongoing for 
several months, will steal private information from local 


























browsers, will auto-start on Windows stamp, and will attempt 
to infect all of the victim's friends across Facebook. 

The executable, including several other related executables 
part of the campaign, are currently hosted on Google 

Code, and according to Google Code's statistics, one of the 
malicious files has already been downloaded 1,870,788 

times. Surprisingly, the Coode Project is called 11 Project Don't 
Download". Very interesting self-contradicting social 
engineering attempt. 

Let's dissect the campaign, list the domain's portfolio used in 
it, provide detection rates for the malicious exe¬ 
cutables, and connect the campaign to multiple other 
campaigns observed in the wild over the last couple of 
weeks. 

[ 1 ] 
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Sample redirection chain: 

hxxp://cnlz3. tk/?2959858 
-> 

hxxp://profilelo. 8c 1. net/ 

-> 

hxxp://profileste. uni. me/?skuwjjsadsuquwhdas 


hxxps://project-dont-do wnload. googlecode. com/files/Profile 
%20View %20- %205v2.exe 

Subdomain reconnaissance: 

profilelo.8cl.net - 82.208.40.3 

profileste.uni.me - 198.23.52.98 

project-dont-download.googlecode.com - Email: 
merg imil4@live.com 

Detection rate for the malicious executable: [2]MD5: 
C5b2247a37a8d26063af55c6c975782d - detected by 23 

out of 47 antivirus scanners as JS:Clicker-P [Trj]; 
RDN/Generic.dx!chs 

Once executed, the sample drops the following MD5s 
on the affected hosts: 

MD5: 3729796a618de670128e80bb750dba35 

MD5: bc5ea93000fd79cf3d874567068adfc5 

MD5: 3448d5a 74e86fdc88569df99dbcl 9c55 

MD5: C3c67c3df487390dfdfa4890832b8a46 

MD5: 161 fff31429fl fcd99a56208cf9d2b58 

MD5: C8dfbeb2e89a9557523b5a57619a9c44 

MD5: b83d2283066c68e8cc448c578ddl21 a a 
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MD5: 0e254726843ed308cal42333ea0c5d28 


MD5: Cbb6e03d0b08ba4a8eeacl467921 b7dd 

MD5: a3ef72a0345a564bde3df2654f384a21 

MD5: 123c9d897b74548aa6ce65b456a8b 732 

MD5: 181 fOl 156f23d4e732a414eaa2f6b8 70 

MD5: 74d4b4298bc6fe8871adlaa654d347c6 

Download statistics for the malicious executables 
hosted on Google Code: 

Profile Viewer - 5.exe - 1,870,788 downloads 

Profile Stalker - V.exe - 45983 downloads 

Profile View - 5v2.exe - 9496 downloads 

Profile Stalker - D.exe - 2 downloads 

Detection rates for the malicious executables hosted on 
Google Code: 

Profile Stalker - D.exe - [3]MD5: 

c9220176786fe074de210529570959c5 - detected by 3 
out of 47 antivirus scanners 

as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL 
Profile Stalker - V.exe - [4]MD5: 

a6073378d764e3af4cb289cac91b3f97 - detected by 24 
out of 47 antivirus scanners 

as JS/TrojanClicker.Agent.NDL; Trojan.Win32.ClickerlBT 



Profile Viewer - 5.exe - [5]MD5: 

814837294bc34f288e31637bab955e6c - detected by 24 
out of 47 antivirus scanners 

as Troj/Agent-ABOE 

Samples phone back to the followind URLs/domains: 

hxxp://stats. app-data. net/installer. gif?action=started 
&browser=ie6 
&ver=l 
26 
153 

&bic=00A4 7304 7B09414 785A 7A54908970321 IE 
&app=30413 &appver=0 

&verifier=d3459d462f931bel0f76456d86fe24d- 

5 &srcid=0 &subid=0 &zdata=0 &ff=0 &ch=0 &default=ie 
&os=XP32 &admin=l &type=l &asw=0 

stats.app-data.net - 207.171.163.139 

app-static.crossrider.com - 69.16.175.10 

errors.app-data.net - 207.171.163.139 

Facebook and Google have been notified. 

This post has been reproduced from [6]Dane ho 
Danchev's blog. Follow him [7]on Twitter. 


1 . 



http://l .bo. blo as oot.com/- 

lxZl ezC4rz0/UbW86IHzcBI/AAAAAAAAFu0/dmO14sZ pxaa/sl 
600/Whos Viewed Your Facebook 

Profile Fake Ro g ue Extension. pna 

2 . 

https://www.virustotal.com/en/file/7b5f495dbc987fl6clf331 

141dd9dd62a8066503226d5bf457cbd5875515a600/anal vs 
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3. 

https://www.virustotal.com/en/file/5a2729550420e40836fd2 

f5e2bb42fe4b9d36dd3fbb0fl2fc05b829b5e295f80/anal vs 

is/1370862388/ 

4. 

https://www.virustotal.com/en/file/07ac717f288cdee6c5b6ef 

4eeda86f90892ef26fdllc7aacllea6401a7dcc2e6/anal vs 

is/1370862459/ 

5. 

https://www.virustotal.com/en/file/de7el3991bbbe84c6470c 

070d675cefflf07b3ff3c545ca53b33ebbcl790b9c9/anal vs 

is/1370862551/ 

6. http://ddanchev.blo as oot.com/ 

7. http://twitter.com/danchodanchev 
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Malware-Serving "Who's Viewed Your Facebook 
Profile" Campaign Spreading Across Facebook 

(2013-06-10 15:07) 

A currently ongoing Facebook spreading malware-serving 
campaign, entices users into downloading and executing 

a malicious executable, pretending to be a 11 Who's Viewed 
Your Facebook Profile" extension. In reality though, the 
executable, part of a campaign that's been ongoing for 
several months, will steal private information from local 

browsers, will auto-start on Windows stamp, and will attempt 
to infect all of the victim's friends across Facebook. 

The executable, including several other related executables 
part of the campaign, are currently hosted on Google 

Code, and according to Google Code's statistics, one of the 
malicious files has already been downloaded 1,870,788 

times. Surprisingly, the Coode Project is called 11 Project Don't 
Download". Very interesting self-contradicting social 
engineering attempt. 

Let's dissect the campaign, list the domain's portfolio used in 
it, provide detection rates for the malicious exe¬ 
cutables, and connect the campaign to multiple other 
campaigns observed in the wild over the last couple of 
weeks. 

[ 1 ] 
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Sample redirection chain: 

hxxp://cnlz3. tk/?2959858 
-> 

hxxp://profilelo. 8c 1. net/ 

-> 

hxxp://profileste. uni. me/?skuwjjsadsuquwhdas 
-> 

hxxps://project-don t-do wnload. googlecode. com/files/Profile 
%20View %20- %205v2.exe 

Subdomain reconnaissance: 

profilelo.8cl.net - 82.208.40.3 

profileste.uni.me - 198.23.52.98 

project-dont-download.googlecode.com - Email: 
mergimil4@live.com 

Detection rate for the malicious executable: [2]MD5: 
C5b2247a37a8d26063af55c6c975782d - detected by 23 

out of 47 antivirus scanners as JS:Clicker-P [Trj]; 
RDN/Generic.dx!chs 

Once executed, the sample drops the following MD5s 
on the affected hosts: 

MD5: 3729796a 618de670128e80bb 750dba35 


MD5: bc5ea93000fd79cf3d874567068adfc5 



MD5: 3448d5a 74e86fdc88569df99dbcl 9c55 
MD5: c3c67c3df487390dfdfa4890832b8a46 
MD5: 161 fff31429fl fcd99a56208cf9d2b58 
MD5: C8dfbeb2e89a9557523b5a57619a9c44 
MD5: b83d2283066c68e8cc448c578ddl21 a a 
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MD5: 0e254726843ed308cal42333ea0c5d28 

MD5: Cbb6e03d0b08ba4a8eeacl467921b7dd 

MD5: a3ef72a0345a564bde3df2654f384a21 

MD5: 123c9d897b74548aa6ce65b456a8b 732 

MD5: 181 fOl 156f23d4e 732a414eaa2f6b8 70 

MD5: 74d4b4298bc6fe8871adlaa654d347c6 

Download statistics for the malicious executables 
hosted on Google Code: 

Profile Viewer - 5.exe - 1,870,788 downloads 

Profile Stalker - V.exe - 45983 downloads 

Profile View - 5v2.exe - 9496 downloads 

Profile Stalker - D.exe - 2 downloads 

Detection rates for the malicious executables hosted on 
Google Code: 


Profile Stalker - D.exe - [3]MD5: 

c9220176786fe074de210529570959c5 - detected by 3 
out of 47 antivirus scanners 

as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL 
Profile Stalker - V.exe - [4]MD5: 

a6073378d764e3af4cb289cac91b3f97 - detected by 24 
out of 47 antivirus scanners 

as JS/TrojanClicker.Agent.NDL; Trojan.Win32.ClickerlBT 
Profile Viewer - 5.exe - [5]MD5: 

814837294bc34f288e31637bab955e6c - detected by 24 
out of 47 antivirus scanners 

as Troj/Agent-ABOE 

Samples phone back to the followind URLs/domains: 

hxxp://stats. app-data. net/installer. gif?action=started 
&browser=ie6 
&ver=l 
26 
_153 

&bic=00A4 7304 7B09414 785A 7A54908970321 IE 
&app=30413 &appver=0 

&verifier=d3459d462f931bel0f76456d86fe24d- 

5 &srcid=0 &subid=0 &zdata=0 &ff=0 &ch=0 &default=ie 
&os=XP32 &admin=l &type=l &asw=0 

stats.app-data.net - 207.171.163.139 



app-static.crossrider.com - 69.16.175.10 

errors.app-data.net - 207.171.163.139 

Facebook and Google have been notified. 

Updates will be posted as soon as new developments take 
place. 

1 . 

htto://l .bo. blo as pot.com/- 

lxZl ezC4rzQ/UbW86IHzcBI/AAAAAAAAFu0/dmO14sZ pxaa/sl 
600/Whos Viewed Your Facebook 

Profile Fake Ro a ue Extension. ona 

2 . 

https://www.virustotal.com/en/file/7b5f495dbc987fl6clf331 

141dd9dd62a8066503226d5bf457cbd5875515a600/anal vs 
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3. 

https://www.virustotal.com/en/file/5a2729550420e40836fd2 

f5e2bb42fe4b9d36dd3fbb0fl2fc05b829b5e295f80/anal vs 

is/1370862388/ 

4. 

https://www.virustotal.com/en/file/07ac717f288cdee6c5b6ef 

4eeda86f90892ef26fdllc7aacllea6401a7dcc2e6/anal vs 


is/1370862459/ 




















5. 

https://www.virustotal.com/en/file/de7el3991bbbe84c6470c 

070d675cefflf07b3ff3c545ca53b33ebbcl790b9c9/anal vs 

is/1370862551/ 
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'Anonymous' Group's DDoS Operation Titstorm 
(2013-06-12 20:01) 

With last months [l]'Anonymous' Group's DDoS Operation 
Titstorm campaign a clear success based on the real-time 

monitoring of the crowdsourcing-driven attack, it's time to 
take a brief retrospective on the tools and tactics used, 

and relate 

• Go through an analysis of 2009's failed [2]Operation 
Didgeridie DDoS campaign 

Why is Operation Titstorm an important one to profile? Not 
only because it worked compared to [3]Operation 

Didgeridie, but also, due to the fact that crowdsourcing 
driven (malicious culture of participation) DDoS attacks have 
proven themselves throughout the past several years, as an 
alternative to DDoS for hire attacks. 

- DIY ICMP flooders 

- Web based multiple iFrame loaders to consume server CPU 

- Web based email bombing too Is-(-predefined lists of emails 
belonging to government officials/employees 





Go through related posts on crowdsourcing DDoS 
attacks/malicious culture of participation: 

[4] Coordinated Russia vs Georgia cyber attack in progress 

[5] lranian opposition launches organized cyber attack 
against pro-Ahmadinejad sites 

[6] People's Information Warfare Concept 

[7] Electronic Jihad v3.0 - What Cyber jihad Isn't 
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[8] Electronic Jihad's Targets List 

[9] The DDoS Attack Against CNN.com 

[lOJChinese Hacktivists Waging People's Information Warfare 
Against CNN 

[llJThe Russia vs Georgia Cyber Attack 

[12] Real-Time OSINT vs Historical OSINT in Russia/Georgia 
Cyberattacks 

[13] Pro-lsraeli (Pseudo) Cyber Warriors Want your Bandwidth 

[14] lranian Opposition DDoS-es pro-Ahmadinejad Sites 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1. http://www.smh.com.au/technolo a v/technolo av- 

news/operation-titstorm-hackers-brin a -down- a overnment- 

website 


s-20100210-naku.html 











2. http://blo a s.zdnet.com/securit v/7 p=4234 

3. http://blo a s.zdnet.com/securit v/? o=4234 

4. http://blo a s.zdnet.com/securit v/? p=1670 

5. http://blo a s.zdnet.com/securit v/? o = 3613 

6. http://ddanchev.blo as pot.com/2007/10/peoples- 
information-warfare-conceot.html 

7. http://ddanchev.blo as pot.com/20Q7/ll/electronic- i ihad- 
v30-what-cvber- i iihad.html 

8. http://ddanchev.blo as pot.com/20Q7/ll/electronic- i ihads- 
tar a ets-list.html 

9. http://ddanchev.blo as pot.com/2008/Q4/ddos-attack- 
aa ainst-cnncom.html 

10. http://ddanchev.blo as pot.com/2008/04/chinese- 
hacktivists-wa aina- peoples.html 

11. http://ddanchev.blo as pot.com/2008/Q8/russia-vs- 
g eorg ia-cvber-attack.html 

12. http://ddanchev.blo as pot.com/2008/10/real-time-osint- 
vs-historical-osint-in.html 


13. http://ddanchev.blo as pot.com/2009/01/pro-israeli- 
pseudo-cvber-warriors-want.html 

14. http://ddanchev.blo as pot.com/2009/Q6/iranian- 
op position-ddos-es-pro.html 

15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 


























































Bogus "Shocking Video" Content at Scribd Exposes 
Malware Monetization Scheme Through Parked Do¬ 
mains (2013-06-20 22:44) 

Bogus content populating Scribd, centralized 
malicious/typosquatted/parked domains/fraudulent 
infrastructure, 

combined with dozens of malware samples phoning back to 
this very same infrastructure to monetize the fraudulently 

generated traffic, it doesn't get any better than this, does it? 

URL redirection chain: 

hxxp://papa ver. in/shocking/scr68237 
-> 

hxxp://dsnetservices.com/?epl=98EbooDNwLit- 

qQViA 4 tb YD 7JMZA QuEUyV387pMY 
NBODms0CdAg9qAe5QvBgKTO6xW6jHWliYo5F8yDlvYx 

7A a vd8 wL HmZ wHDIItb G4Eta- 

G VtiO3i9LlnzyK0 Yg Wm T2BOaEeaipahFIE8yB 7mC 

EBrQzXXtQBVUSIMGIEwTo9iUpOlyDUOM 

0mZKYzSpf6qGIAA g YN 

_ vvwAA4H8BAA BA gFsLAADgPokx WVMm WUExNmhaQqA 
AAADw -> monetization through 


Google/MSN 
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Domain names reconnaissance: 

papaver.in - 69.43.161.176 - Email: 
belcanto@hushmail.com - Belcanto Investment Group 

dsnetservices.com - 208.73.211.152 - Email: 
admin@overseedomainmanagement.com - Oversee Domain 
Manage¬ 
ment, LLC 
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K 

The following related domains are also registered 
with the same email (belcanto@hushmail.com): 

4cheapsmoke. com 

777payday.com 

aboutforexincome. com 

agroindusfinance. com 

atvcrazy.com 

bbbamericashop. com 

bizquipleasing. com 

cashforcrisis. com 


cashmores-cara vans, com 


cashswim.com 


cheapbuyworld. com 
cheaptobbacco. com 
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cheapuc. com 
debtheadaches. com 
debtonatorct. com 
gcecenter com 
goldforcashevents. com 
studioshc. com 
thestandardjournal. com 
travelgurur.com 
atlanticlimos. net 
bethelgroup.net 
cara vanningnews. net 
casting-escort, net 
cheapersaies. net 
couriernetwork. net 
dragonarttattoo. net 
girlgeniusonline. net 



madameshairbeauty.net 
manchester-escort. net 
mygirlythings. net 
vocabhelp.net 
cheapmodelships. com 
financialdebtfree. com 
mskoffice. com 
ca shack, com 

apollohealthinsurance. com 
nieportal.com 
playfoupets. com 
wducation.com 
carwrappingtorino. net 
ere wealexultras. net 
diamondsmassage. net 
isleofwightferries. org 
miglioje wellery. org 
mind-quad.org 
money info, us 
2daysdietslim. com 



999cashlline. com 


capitalfinanceome. com 
capitlefinanceone. com 
captialfinanceone. com 
carehireinsurance. com 
cashadvaceusa. com 
cashadvancesupprt. com 
cashdayday.com 
cashgftingxpress. com 
cashginie.com 
cashsoitionsuk. com 
cathayairlinescheapfare. com 
cheapaddidastops. com 
cheapaparmets. com 
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cheapariaoftguns. com 
cheapcheapcompters. com 
cheapdealsinmalta. com 
cheapdealsorlando. com 
cheapeestees. com 



cheapetickete. com 
cheapeygptholidays. com 
cheapfaresairlines. com 
cheap-flighs. com 
cheapflyithys. com 
cheapfreestylebmx. com 
cheapgoldjewelery. com 
cheaphnoels. com 
cheapholidaysites. com 
cheaphotellakegeorge. com 
cheap!a wnbo i /vis. com 
cheapml al airsoft. com 
cheapmetalsticksdiablo. com 
cheapmpwers. com 
cheapmsells. com 
cheapotickeds. com 
cheapottickets. com 
cheapprotien. com 
cheapryobicordlesstools. com 
cheap-smell, com 



cheapsmellscom. com 
cheapsmes.com 
cheapsscents. com 
cheapstockers. com 
cheapsummerdresser. com 
cheaptents4saie. com 
cheaptertextbooks. com 
cheaptikesps. com 
cheaptrainfairs. com 
cheaptstickts. com 
cheaptunictops. com 
cheapuksupplement. com 
cheapversaceclothes. com 
cheapviagra4u. com 
cliutterdiet.com 
cocheaptickets. com 
dailcheapreads. com 
dcashstudious. com 
debtinyou. com 
diabetesdietspians. com 



dietaetreino. com 


dietcetresults. com 
dietcheff. com 
dietdessertndgos. com 
dietemaxbrasil. com 
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dietopan.com 

discovery remortgages, com 
dmrbikescheap. com 
ferrrycheap. com 
financeblogspace. com 
firstleasingcompanyofindia.com 
firstresponcefinance. com 
forexdirecotery. com 
forexfacdary. com 
foreximegadroid. com 
forextrading2u. com 
iitzcash. com 

insanelycheapfights. com 


insurancenbanking. com 
inevenhotel.net 
islamic-bank. us 
italyonlinebet. com 
m3motorsite. com 
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Out of the hundreds of domains known to have 
phoned back to the same IP in the past, the following 
are 

particularly interesting: 

motors.shop.ebay.com-cars-trucks-9722711.lsvvo.net 

motors.shop.ebay.com-trucks-cars-922.lsvvo.net 

paupal.it 

pay pa. com. login, php. nahda-online. com 

paypal-secure. bengalurban. com 

paypal. com-cgi. bin-webscr. cmd. login, submit- 
dispatch.5885d80a.l3c0dbl f8. e263663. 

d3fa- 

ee. 38deaa3. e263663. login, submit. 3. webrocha. com 

paypa I. com-cgi. bin-webscr. cmd. login.submit- 
dispatch.5885d80a.l3c0dbl f8. e263663. 


d3fa- 



ee. 38deaa3. e263663. login, submit. 4. webrocha. com 


paypa i. com. update, service, cgi. bin. webscr. cmd. log in¬ 
sub m it. modernstuf. com 

paypa I. com. update.service, cgi. bin. webscr. cmd. login.submit. 
modernstuf.com 

paypa I. com. us. cgi-bin. webscr-cmd. log in- 
run. dispatch. 5885d80al3c0dbl f8e263663d3f 

aee8d43blbb6ca6ed6aee8d43bl6cv27bc. 

darealsmoothvee. com 

paypa I. it. bengalurban. com 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(69.43.161.176): 

MD5: 7fa 7500cd90bd75ae52a4 7e5cl 8ba800 
MD5: 84b28cf33dee08531a6ece603ca92451 
MD5: f04ce06f5bl c89414cbl ff9219401 aOe 
MD5: b2019625e4fd41ca9d70b07f2038803e 
MD5: 6cfb98ac63b37c20529c43923bcb257c 
MD5: 04641 dbafe3dl2b00a6b0cd84fba557f 
MD5: 024 76b31 f2cdc2b02b8efl eOO 72d4eb2 
MD5: 0d5a69fa 766343f77630aa936bb64 722 



MD5: 5 7f7520b3958031336822926ed0dl Ob5 


MD5: 00d08bl63a86008cbe3349e4794ae3c0 
MD5: 8dd2223daladla555361c67794eb7e24 
MD5: 737309010740c2clfba3d989233cl99c 
MD5: eb3043el3dd8bb34a4a8b 75612fe401 e 
MD5: eb4737492d9abcc4bd43bl2305c4b2fc 
MD5: 625 7b9c3239db33a6c52a8ecb2135964 
MD5: 481366b6e867af0d47a6642e07d61fl0 
MD5: d58b7158b3bl fbO72098dba98dd82ed5 
MD5: 9dd425b00b851 f6c63ae069abbbec037 
MD5: 6b0c0 7ce5ffl c3a4 7685f7be9793dce5 
MD5: b2b5e82177a3beb917f9ddla9a2cf91c 
MD5: 05070da990475ac3e039783df4e503bc 
MD5: c332dd499cdba9087d0c4632a76c59f0 
MD5: 0768764fbbeb84daa5641f099159ee7f 
MD5: 843b44c77e47680aa4b274eeelaad4e7 
MD5: 36f92066703690dflc!1570633c93e73 
MD5: 0504b00c51b0d96afd3bea84a9a242a2 
MD5: 8b0de5eabc2 7d3 7fa9 7d2b998ffd841 a 


MD5: 2944bl437dle8825585eea3737216776 



MD5: fal3c7049ael4be0cf2f651fb2fa74ba 
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MD5: ba5e47e0ed7b96a34b716caee0990ea3 
MD5: e67e56643f73ed3f6027253d9b5bdfac 
MD5: 8b0de5eabc2 7d3 7fa97d2b998ffd841 a 
MD5: 2944bl437dle8825585eea3737216776 
MD5: 0ab654850416e34 7468a02ca5a369382 
MD5: 4e372e5dle2bd3fa68b85f6dl f861087 
MD5: 696a9b85230a315cfe393d9335cae770 
MD5: 04343c3269c33a5613ac5860ddb2ab81 
MD5: 384a496cd4c2bcl327c225el 9edbee54 
MD5: a44b2380cdac36f9dfb460f8fbff3714 
MD5: 9e2a83adb079048dlc421afaf56a73a6 
MD5: e377c7ad8ab55226e491d40bf914e749 
MD5: 46c7c70e30495b4b60bel c58a4397320 
MD5: 841890281 b7216e8c8eal 953b255881 e 
MD5: 4392f490e6ee553ff7a 7b3c4bdlddl3f 
MD5: eeeda63bec6d2704cf6f77f2fb8431cd 
MD5: b68el 83884ce980e300c93dfa375bbl f 


MD5: 7990fb5c676bbcd0a6168ea0f8a0cld7 



MD5: adc2504394 74d38212773el 61 dadd6b4 


MD5: 075ae09c016df3c7eb3d402d96fc2528 
MD5: d03b5bf4a905879d9b93b6e81 fclca55 
MD5: 00c62c8a9f2cf7140b67acec477e6al4 
MD5: b228fae216a9564192fa2153ae911 d54 
MD5: 2f778fc3a22b7d5feb0a357c850bdd0d 
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a 
MD5: 526cl fl0f94544344del2abec96cf96f 
MD5: 4d8ddc8d5f6698a6690985ca86b3de00 
MD5: 1 a 7bb0c9b 79dl 604b4de5b0015202d 02 
MD5: 528be69afad5a5e6beb7b40aeb656160 
MD5: 1769flb5beae58c09e5elaac9249f5de 
MD5: 6fb86421 ea607ed6c912a3796739ce9b 
MD5: 22e36b887946e457964a2a28a756aled 
MD5: 3la7816al458321736979e0cfdd3d20f 
MD5: 1135 72249856fc5f2848dl add06dc758 
MD5: a8a002732c5a4959afbf034d37992b5d 
MD5: 413a9116362ab8fb9ba622cc98c788bl 
MD5: 4abb29fe3ec3239d93f7adbc8cb 70259 


MD5: 989bea3435e5ac5b8951baa07d356526 



MD5: 9a966076fll4fbffc5cdbf5a90b3fd01 

MD5: 14e64da2094ablaael3dl62107c504ec 

MD5: 96bb6df37daef5b8de39ceael e3a 7396 

MD5: d864369a0e8687ad3f89b693be84c8eb 

MD5: 26b8b2c06el604daee6bfe783a82479e 

MD5: 63b922c94338862e7b9605546af2efl4 

MD5: 19bal497f088d850bd3902288bb3bd92 

MD5: 96bb6df37daef5b8de39ceaele3a7396 

MD5: d864369a0e8687ad3f89b693be84c8eb 

MD5: 26b8b2c06el604daee6bfe783a82479e 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(208.73.211.152): 
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MD5: db0aac72ed6d56497e494418132d7a41 
MD5: aa4 7bd20f8a00e354633d930a3ebcbl 9 
MD5: a957e914f697639df7dfb8483a88483b 
MD5: a0b7b01a0574106317527e436e515fd3 
MD5: 3d0d834fe7ca583ca6ed056392f4413d 
MD5: fa342104b329978cba33639311 afe446 
MD5: f3b3e8b98bdfb6673da6d39847aeelb3 



MD5: 3ef52b2fd086094b591 ebOl bc3294 7c8 


MD5: 128e70484a9fl 9ab9096fb9bl 969b f8 9 
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22 
MD5: 6fc317b6f66d73903ffe8dl2df72e5f7 
MD5: 3800a4a6d6620aal5db7ea717b4dl0f5 
MD5: 830bbfcaa499de30ab08a510ce4cbba2 
MD5: 085afd7f26f388bd62bc53ed430fbbc6 
MD5: 3035el20ce08f1824817e0d6eaecc806 
MD5: d4db511618c522 72e58f4c334414ed6e 
MD5: dc4ab086d50dcdcd5ae060acfe9bddca 
MD5: c2bc9e266857537699fdl0142658bf31 
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb 
MD5: b6bb964 70ef67c26c0a0e8a4dl45c 169 
MD5: f5aa326e0b5322d7ac4 7a379el el cl f8 
MD5: dc0f5c01 d8deaabe9d5 7d31 f9daf50b9 
MD5: 4a42c42e7acd9ff32ebbl 8efc2d5b801 
MD5: a254b2824867e05d52c60e0464121588 
MD5: 7e612f7ac81 ccddb368d3c9e4 7c9942a 


MD5: 66cec28f23b692ff2019c70a 76894c41 



This case is a great example of one of the core practices 
when profiling cybercrime incidents and campaigns -> 

sample everything, as what you're originally seeing is just 
the tip of the iceberg. 

Related posts: 

[ljClick Fraud, Botnets and Parked Domains - All 
Inclusive 

[2]A Commercial Click Fraud Tool 

This post has been reproduced from [3]Dane ho 
Danchev's blog. Follow him [4]on Twitter. 

1. http://ddanchev.blo as pot.com/2008/07/click-fraud- 
botnets-and-parked-domaiins.html 

2. http://ddanchev.blo as pot.com/2007/Q8/commercial-click- 
fraud-tool.html 

3. http://ddanchev.blo as pot.com/ 

4. http://twitter.com/danchodanchev 
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Bogus "Shocking Video" Content at Scribd Exposes 
Malware Monetization Scheme Through Parked Do¬ 
mains (2013-06-20 22:44) 

Bogus content populating Scribd, centralized 
malicious/typosquatted/parked domains/fraudulent 
infrastructure, 












combined with dozens of malware samples phoning back to 
this very same infrastructure to monetize the fraudulently 

generated traffic, it doesn't get any better than this, does it? 

URL redirection chain: 

hxxp://papa ver. in/shocking/scr68237 
-> 

hxxp://dsnetservices.com/?epl=98EbooDNwLit- 

qQViA4tb YD 7JMZAQuEUyV387pMY 

NBODmsOCdA g9qAe5QvBgKT06x W6jH W1 iYo5F8yDlvYx 

7Aavd8wLHmZwHDIItbG4Eta- 

G VtiO3i9UnzyK0 Yg Wm T2BOaEeaipahFIE8yB 7mC 

EBrQzXXtQBVU5IMGIEwTo9iUpOlyDUOM 

0mZKYzSpf6qGIAA g YN 

_ vvwAA4H8BAA BA gFsLAADgPokx WVMm WUExNmhaQqA 
AAADw-> monetization through 

Google/MSN 
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Gplink OErabea 


H s»ve for late 


+ 


□ 



GLENN BECK RALLY ATTENDANCE: 
UNCENSORED VIDEO!! I'M SHOCKED 



WATCH THIS HOT VIDEO » 


¥ 



Domain names reconnaissance: 

papaver.in - 69.43.161.176 - Email: 
belcanto@hushmail.com - Belcanto Investment Group 

dsnetservices.com - 208.73.211.152 - Email: 
admin@overseedomainmanagement.com - Oversee Domain 
Manage¬ 


ment, LLC 
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BLEACH RANGIKU HENTAI - SHOCKING VIDEO! • Scnbd 
www scnbd com/doc/37114664/bleach-rangiku-hentai-shocking-video * 

Apr 28. 2013 - BLEACH RANGIKU HENTAI • SHOCKING VIDEO' • Free download or 
readfalse online for free 

NOAH WYLE SEPARATES PROM WIFE - SHOCKING VIDEQl - Scribd 

www scribd com/doc/ /noah-wyie-separates-from-wrfe-shocking-video - 
Apr 28 2013 - NOAH WYLE SEPARATES FROM WIFE - SHOCKING VIDEO' - Free 
download as PDF File ( pdf). Word Doc ( doc). Text File (txt) or read online ... 

POKEMON DAWN HENTAI - SHOCKING VIDEQl - Scribd 
www scnbd com/doc/37126294/pokemon-dawn-bentai-shockmg-video " 

Apr 28 2013 - POKEMON OAWN HENTAI - SHOCKING VIDEO' - Free download as 
POF File ( pdf) Word Doc ( doc) Text File (txt) or read online for free 

AKSHAY KUMAR NUDE - NAKED - SHOCKING VIDEO! - Scnbd 
www scnbd com/doc/ . /akshay-kumar-nude-naked-shocking-video ▼ 

Apr 28 2013 - AKSHAY KUMAR NUDE • NAKED • SHOCKING VIDEO 1 • Free 
download as Word Doc ( doc). Text file ( txt). PDF File ( pdf) or read online for... 

bleach free bleach ichiqo bleach e-hentai tagged - shocking... ■ Scnbd 

www scribd com/ /bleach-free-bieach-ichigo-bleach-e-hentai-tagged-sh " 

Apr 28. 2013 - BLEACH FREE BLEACH ICHIGO BLEACH E-HENTAI TAGGED - 
SHOCKING VIDEO' ■ Free download or readfalse online for free 

BLEACH HENTAI ENGLISH - SHOCKING VIDEQl - Scribd 
www scnbd com/doc/37117078/bleach-hentai-engiish-shocking-video " 

Apr 28 2013 - BLEACH HENTAI ENGLISH - SHOCKING VIDEO' - Free download or 
readfalse online for free 

BLEACH HENTAI CARTOON - SHOCKING VIDEO! - Scnbd 
www scnbd com/doc/37117012/bleach-hentai-cartoon-shocking-video » 

Apr 28, 2013 - BLEACH HENTAI CARTOON SHOCKING VIDEO! - Free download as 
PDF File ( pdf) Word Doc ( doc). Text File (txt) or read online for free 

ADRIEN BRODY NUDE - NAKED - SHOCKING VIDEQl - Scnbd 

www scribd com/doc/ /adrien-brody-nude-naked-shocking-video - 

Apr 28. 2013 - ADRIEN BROOY NUDE • NAKED SHOCKING VIDEO' - Free downloac 

or readfalse online for free 

AKSHAYE KHANNA NUDE - NAKED - SHOCKING VIDEQl - Scribd 

www scnbd com/doc/ /akshaye-khanna-nude-naked-shocklng-vldeo - 
Apr 28 2013 - AKSHAYE KHANNA NUDE - NAKED - SHOCKING VIDEO! - Free 
download or readfalse online for free 

The following related domains are also registered 
with the same email (belcanto@hushmail.com): 

4cheapsmoke. com 


777payday.com 















aboutforexincome. com 


agroindusfinance. com 
atvcrazy.com 
bbbamericashop. com 
bizquipleasing. com 
cashforcrisis. com 
cashmores-cara vans, com 
cashswim.com 
cheapbuyworld. com 
cheaptobbacco. com 
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cheapuc. com 
debtheadaches. com 
debtonatorct. com 
gcecenter. com 
goldforcashevents. com 
studioshc. com 
thestandardjournal. com 
travelgurur.com 


atlanticlimos.net 



bethelgroup.net 
cara vanningnews. net 
casting-escort, net 
cheapersales. net 
couriernetwork. net 
dragonarttattoo. net 
girlgeniusonline. net 
madameshairbeauty.net 
manchester-escort. net 
mygirlythings. net 
vocabhelp.net 
cheapmodelships. com 
financialdebtfree. com 
mskoffice. com 
cashacll. com 

apollohealthinsu ranee, com 
nieportal.com 
playfoupets. com 
wducation.com 
carwrappingtorino. net 



ere wealexultras. net 


diamondsmassage.net 
isleofwightferries. org 
miglioje wellery. org 
mind-quad.org 
money info, us 
2daysdietslim. com 
999cashlline. com 
capitalfinanceome. com 
capitiefinanceone. com 
captialfinanceone. com 
carehireinsurance. com 
cashadvaceusa. com 
cashadvancesupprt. com 
cashdayday.com 
cashgftingxpress. com 
cashginie.com 
cashso/tionsuk. com 
cathayairlinescheapfare. com 
cheapaddidastops. com 



cheapaparmets. com 
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cheapariaoftguns. com 
cheapcheapcompters. com 
cheapdealsinmalta. com 
cheapdealsorlando. com 
cheapeestees. com 
cheapetickete. com 
cheapeygptholidays. com 
cheapfaresairlines. com 
cheap-flighs. com 
cheapflyithys. com 
cheapfreestylebmx. com 
cheapgoldjewelery. com 
cheaphnoels. com 
cheapholidaysites. com 
cheaphotellakegeorge. com 
cheapla wnbo i /vis. com 
cheapml al airsoft. com 
cheapmetalsticksdiablo. com 



cheapmpwers. com 
cheapmsells. com 
cheapotickeds. com 
cheapottickets. com 
cheapprotien. com 
cheapryobicordlesstools. com 
cheap-smell, com 
cheapsmellscom. com 
cheapsmes.com 
cheapsscents. com 
cheapstockers. com 
cheapsummerdresser. com 
cheaptents4sa\e. com 
cheaptertextbooks. com 
cheaptikesps. com 
cheaptrainfairs. com 
cheaptstickts. com 
cheaptunictops. com 
cheapuksupplement. com 
cheapversaceclothes. com 



cheapviagra4u. com 
cliutterdiet.com 
cocheaptickets. com 
dailcheapreads. com 
dcashstudious. com 
debtinyou. com 
diabetesdietspians. com 
dietaetreino. com 
dietcetresufts. com 
dietcheff. com 
dietdessertndgos. com 
dietemaxbrasii. com 
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SECURITY GUARDS AGENCIES 

Guards, warden, watchman. All security Provider in Chennai 

www.Sulekha.com 


SECURITY CAMERAS 


contact Directly & Get 1 


NAwAlibabaxom/Security-Cameras 


SECURITY SERVICES 

Reliable security Services in Chennai&Tamilnadu Ph:9840262102/433094S0 

www.relyonfacility.com 


SECURITY JOBS 

Search for security Jobs. Find Your New Job Today! 

indeed.co.in/Security 

SECURITY GUARD REMOVAL 

Complete Spyware Removal in 2 Minutes.Download Removal Tool. 

CleanAllSpyware.com 

ETHERNET ENCRYPTORS 

10 Mbps, 100Mbps, lGbps and lOGbps certified Ethernet Encrypton 

www. Senetas-Europe .com 


um •—-w. r.—i a sum mo 
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dietopan.com 




disco veryremortgages. com 
dmrbikescheap. com 
ferrrycheap. com 
financeblogspace.com 
firstleasingcompanyofindia. com 
firstresponcefinance. com 
forexdirecotery. com 
forexfacdary. com 
foreximegadroid. com 
forextrading2u. com 
iitzcash.com 

insanelycheapfights. com 
insurancenbanking. com 
inevenhotei.net 
islamic-bank. us 
italyonlinebet. com 
m3motorsite. com 
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Out of the hundreds of domains known to have 
phoned back to the same IP in the past, the 



following are 
particularly interesting: 

motors.shop. ebay, com-cars-trucks-9722711 .lsvvo. net 

motors.shop.ebay.com-trucks-cars-922.lsvvo.net 

paupal.it 

pay pa. com. login.php. nahda-online. com 

paypal-secure. bengalurban. com 

pay pal. com-cgi. bin-webscr. cmd. login.submit- 
dispatch.5885d80a. 13c0dbl f8. e263663. 

d3fa- 

ee. 38deaa3. e263663. login.submit. 3. webrocha. com 

pay pa i. com-cgi. bin-webscr. cmd. login.submit- 
dispatch.5885d80a. 13c0dbl f8. e263663. 

d3fa- 

ee. 38deaa3. e263663. login.submit. 4. webrocha. com 

paypal. com. update.service, cgi. bin. webscr. cmd. log in- 
submit.modernstuf.com 

paypal. com. update.service, cgi. bin. webscr. cmd.login.submit, 
modernstuf. com 

pay pa i. com. us. cgi-bin. webscr-cmd. log in- 
run.dispatch. 5885d80al3c0dblf8e263663d3f 



aee8d43blbb6ca6ed6aee8d43bl6cv27bc. 

darealsmooth vee. com 

pay pal. it. bengalurban. com 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(69.43.161.176): 

MD5: 7fa 7500cd90bd75ae52a4 7e5cl 8ba800 
MD5: 84b28cf33dee08531a6ece603ca92451 
MD5: f04ce06f5bl c89414cbl ff9219401 aOe 
MD5: b2019625e4fd41 ca9d70b07f2038803e 
MD5: 6cfb98ac63b37c20529c43923bcb257c 
MD5: 04641 dba fe3dl 2b 00a 6b 0cd84fba557f 
MD5: 024 76b31 f2cdc2b02b8efl e0072d4eb2 
MD5: 0d5a69fa 766343f77630aa936bb64722 
MD5: 57f7520b3958031336822926ed0dl 0b5 
MD5: 00d08bl63a86008cbe3349e4794ae3c0 
MD5: 8dd2223daladla555361 c67794eb7e24 
MD5: 737309010740c2cl fba3d989233cl 99c 
MD5: eb3043el3dd8bb34a4a8b75612fe401 e 
MD5: eb4737492d9abcc4bd43bl2305c4b2fc 


MD5: 6257b9c3239db33a6c52a8ecb2135964 



MD5: 481366b6e867af0d47a6642e07d61fl0 


MD5: d58b7158b3bl fb072098dba98dd82ed5 
MD5: 9dd425b00b851f6c63ae069abbbec037 
MD5: 6b0c07ce5fflc3a47685f7be9793dce5 
MD5: b2b5e82177a3beb917f9ddla9a2cf91c 
MD5: 05070da990475ac3e039783df4e503bc 
MD5: C332dd499cdba9087d0c4632a 76c59f0 
MD5: 0768764fbbeb84daa5641f099159ee7f 
MD5: 843b44c77e47680aa4b274eeelaad4e7 
MD5: 36f92066703690dflcll570633c93e73 
MD5: 0504b00c51b0d96afd3bea84a9a242a2 
MD5: 8bOde5eabc27d37fa97d2b998ffd841 a 
MD5: 2944b1437dl e8825585eea3737216776 
MD5: fal3c7049ael4be0cf2f651 fb2fa74ba 
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MD5: ba5e47e0ed7b96a34b716caee0990ea3 
MD5: e67e56643f73ed3f6027253d9b5bdfac 
MD5: 8b0de5eabc27d37fa97d2b998ffd841 a 
MD5: 2944b1437dl e8825585eea3737216776 
MD5: 0ab654850416e347468a02ca5a369382 



MD5: 4e372e5dle2bd3fa68b85f6dl f861087 


MD5: 696a9b85230a315cfe393d9335cae770 
MD5: 04343c3269c33a5613ac5860ddb2ab81 
MD5: 384a496cd4c2bcl327c225el 9edbee54 
MD5: a44b2380cdac36f9dfb460f8fbff3714 
MD5: 9e2a83adb079048dlc421afaf56a73a6 
MD5: e377c7ad8ab55226e491d40bf914e749 
MD5: 46c7c70e30495b4b60belc58a4397320 
MD5: 841890281 b7216e8c8eal953b255881 e 
MD5: 4392f490e6ee553ff7a 7b3c4bdl ddl 3f 
MD5: eeeda63bec6d2704cf6f77f2fb8431 cd 
MD5: b68el83884ce980e300c93dfa375bbl f 
MD5: 7990fb5c676bbcd0a6168ea0f8a0cld7 
MD5: adc250439474d38212773el61 dadd6b4 
MD5: 075ae09c016df3c7eb3d402d96fc2528 
MD5: d03b5bf4a905879d9b93b6e81fclca55 
MD5: 00c62c8a9f2cf7140b67acec477e6al4 
MD5: b228fae216a9564192fa2153ae911d54 
MD5: 2f778fc3a22b 7d5feb0a357c850bdd0d 


MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a 



MD5: 526cl fl 0f94544344del 2 a bee 9 6c f96 f 


MD5: 4d8ddc8d5f6698a6690985ca86b3de00 
MD5: 1 a 7bb0c9b 79dl 604b4de5b0015202d02 
MD5: 528be69afad5a5e6beb7b40aeb656160 
MD5:1769flb5beae58c09e5elaac9249f5de 
MD5: 6fb86421ea607ed6c912a3796739ce9b 
MD5: 22e36b887946e457964a2a28a756aled 
MD5: 31 a7816al458321736979e0cfdd3d20f 
MD5: 113572249856fc5f2848dl add06dc758 
MD5: a8a002732c5a4959afbf034d37992b5d 
MD5: 413a9116362ab8fb9ba622cc98c788bl 
MD5: 4abb29fe3ec3239d93f7adbc8cb 70259 
MD5: 989bea3435e5ac5b8951baa07d356526 
MD5: 9a966076fll4fbffc5cdbf5a90b3fd01 
MD5:14e64da2094ablaael3dl62107c504ec 
MD5: 96bb6df37daef5b8de39ceael e3a 7396 
MD5: d864369a0e8687ad3f89b693be84c8eb 
MD5: 26b8b2c06el604daee6bfe783a82479e 
MD5: 63b922c94338862e7b9605546af2efl4 


MD5: 19ba1497f088d850bd3902288bb3bd92 



MD5: 96bb6df37daef5b8de39ceael e3a 7396 

MD5: d864369a0e8687ad3f89b693be84c8eb 

MD5: 26b8b2c06el604daee6bfe783a82479e 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(208.73.211.152): 

467 

MD5: db0aac72ed6d56497e494418132d7a41 
MD5: aa47bd20f8a00e354633d930a3ebcbl9 
MD5: a957e914f697639df7dfb8483a88483b 
MD5: a Ob 7b01a0574106317527e436e515fd3 
MD5: 3d0d834fe 7ca583ca6ed056392f4413d 
MD5: fa342104b329978cba33639311afe446 
MD5: f3b3e8b98bdfb6673da6d39847aeelb3 
MD5: 3ef52b2fd086094b591 eb01 bc3294 7c8 
MD5: 128e70484a9fl9ab9096fb9bl969bf89 
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22 
MD5: 6fc317b6f66d73903ffe8dl2df72e5f7 
MD5: 3800a4a6d6620aal5db7ea717b4dl0f5 
MD5: 830bbfcaa499de30ab08a510ce4cbba2 
MD5: 085afd7f26f388bd62bc53ed430fbbc6 



MD5: 3035el20ce08f1824817e0d6eaecc806 


MD5: d4db511618c52272e58f4c334414ed6e 

MD5: dc4ab086d50dcdcd5ae060acfe9bddca 

MD5: c2bc9e266857537699fdl 0142658bf31 

MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb 

MD5: b6bb96470ef67c26c0a0e8a4dl45cl 69 

MD5: f5aa326e0b5322d7ac4 7a379el el cl f8 

MD5: dc0f5c01 d8deaabe9d57d31 f9daf50b9 

MD5: 4a42c42e7acd9ff32ebbl 8efc2d5b801 

MD5: a254b2824867e05d52c60e0464121588 

MD5: 7e612f7ac81 ccddb368d3c9e4 7c9942a 

MD5: 66cec28f23b692ff2019c70a 76894c41 

This case is a great example of one of the core practices 
when profiling cybercrime incidents and campaigns -> 

sample everything, as what you're originally seeing is just 
the tip of the iceberg. 

Related posts: 

[ljClick Fraud, Botnets and Parked Domains - All 
Inclusive 

[2]A Commercial Click Fraud Tool 



1. http://ddanchev.blo as pot.com/2QQ8/Q7/click-fraud- 
botnets-and-parked-domains.html 


2. http://ddanchev.blo as pot.com/2Q07/Q8/commercial-click- 
fraud-tool.html 
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Fake 'Rihanna & Chris Brown S3X Video' Spam 
Campaign Spreading Across Facebook, Monetized 
Through 

Adf Dot Ly PPC Links (2013-06-22 10:56) 

A currently ongoing, click-jacking driven spam campaign is 
circulating across Facebook, with the affected users 

further spreading the adf.ly links on the Walls of their 
friends, in between tagging them, with the cybercrimi¬ 
nal/cybercriminals behind the campaign, earning revenue 
through the adf.ly pay-per-click (PPC) monetization 

scheme. 

Redirection chain: 

hxxp://adf. Iy/Qrd2f?cid=51c3e 798a ff:9a 
-> 

hxxp://rihannaofficialvideo. blogspot. de/?231514 









hxxp://www.smilegags. com/watch/jack.php ?action=connect 
&cid=51c3e798a ff9a -> hxxp://lolzbestpic. com 
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MD5s for the Facebook spamming/click-jacking 
scripts: 

MD5: fe97840bd2af654acdb63fd80b094531 
MD5: f8a360728a896d40bbb0fl90375fb6f6 
MD5: bae32ffd43ac2f518dafeedb8901 e2de 
MD5: 90fa366b8affac24fel 82b 7b5de51bl 6 

Domain name reconnaissance: 
smilegags.com - 184.107.164.158 
lolzbestpic.com - 64.79.76.226 
Name servers used: 

Name Server: NS1.PYARISHQ.INF0 

Name Server: NS2.PYARISHQ.INFO 

Name Server: N51.HOSTING.XLHOST.COM 

Name Server: NS2.HOSTING.XLHOST.COM 

Responding to the same IP (184.107.164.158) are 
also the following domains: 


amasave.com 


wikilieaksvideo. com 


nsl.pyarishq. info 
ns2.pyarishq. info 

Known to have responded to the same IP 
(184.107.164.158) in the past are also the following 
domains: 

costcochristmas. com 
costcogives. com 
giftcardgra tis. com 
icagivings. com 
iomanako.com 
picknpaygives. com 
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remabilaget. com 
rewegives. com 
vodka foryou. info 
top videosweden. com 

Responding to (64.79.76.226) is also the following 
domain: 


sila I 7. info 



Known to have responded to the same IP 
(64.79.76.226) is also the following domain: 

promvideo.pw 

Related posts: 

[1] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[2] Malware-Serving "Who's Viewed Your Facebook Profile" 
Campaign Spreading Across Facebook 

[3] Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook 

[4] Phishing Campaign Spreading Across Facebook 

[5] Facebook Malware Campaigns Rotating Tactics 

[6] MySpace Phishers Now Targeting Facebook 

[7] Facebook Photo Album Themed Malware Campaign, Mass 
SQL Injection Attacks Courtesy of AS42560 

[8] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

This post has been reproduced from [9]Dancho 
Danchev's blog. Follow him [10]on Twitter. 

1. http://ddanchev.blo as oot.com/2QQ9/lQ/koobface-botnet- 
rediirects-facebooks-ip.html 

2. http://ddanchev.blo as pot.com/2Q13/Q6/malware-servin a- 
whos-viewed-vour.html 










3. http://ddanchev.blo as pot.com/2013/05/fake-facebook- 
profile-s py-ap plication.html 

4. http://ddanchev.blo as pot.com/2008/Q6/phishin a- 
campai a n-spreadin a -across.html 

5. http://ddanchev.blo as pot.com/2008/Q8/facebook- 
malware-campai a ns-rotatin a .html 

6. http://ddanchev.blo as pot.com/20Q8/01/m vs pace- 
phishers-now-tar a etin a -facebQok.html 

7. http://ddanchev.blo as pot.com/2010/Q6/facebook-photo- 
album-themed-malware.html 


8. http://ddanchev.blo as pot.com/201Q/01/facebookaol- 
u pdate-tool-spam-campai a n.html 

9. http://ddanchev.blo as pot.com/ 

10. http://twitter.com/danchodanchev 
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Fake 'Rihanna & Chris Brown S3X Video' Spam 
Campaign Spreading Across Facebook, Monetized 
Through 

Adf Dot Ly PPC Links (2013-06-22 10:56) 

A currently ongoing, click-jacking driven spam campaign is 
circulating across Facebook, with the affected users 

further spreading the adf.ly links on the Walls of their 
friends, in between tagging them, with the cybercrimi- 




































nal/cybercriminals behind the campaign, earning revenue 
through the adf.ly pay-per-click (PPC) monetization 

scheme. 

Redirection chain: 

hxxp ://a df. Iy/Qrd2f?cid=51 c3e 798a ff9a 
-> 

h xxp ://rih annao ffici a I video, blogspot. de/?231514 
-> 

hxxp://www.smilegags. com/watch/jack, php ?action=connect 
&cid=51c3e798a ff9a -> hxxp://lolzbestpic. com 
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MD5s for the Facebook spamming/click-jacking 
scripts: 

MD5: fe97840bd2af654acdb63fd80b094531 
MD5: f8a360728a896d40bbb0fl90375fb6f6 
MD5: bae32ffd43ac2f518dafeedb8901 e2de 
MD5: 90fa366b8affac24fel 82b 7b5de51bl 6 

Domain name reconnaissance: 
smilegags.com - 184.107.164.158 
lolzbestpic.com - 64.79.76.226 


Name servers used: 


Name Server: NS1.PYARISHQ.INF0 

Name Server: NS2.PYARISHQ.INFO 

Name Server: NSl.HOSTING.XLHOST.COM 

Name Server: NS2.HOSTING.XLHOST.COM 

Responding to the same IP (184.107.164.158) are 
also the following domains: 

amasave.com 

wikilieaksvideo. com 

nsl.pyarishq. info 

ns2.pyarishq. info 

Known to have responded to the same IP 
(184.107.164.158) in the past are also the following 
domains: 

costcochristmas. com 
costcogives. com 
g i ft c a rdgra tis. com 
icagivings. com 
lomanako.com 
picknpaygives, com 
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remabilaget. com 
rewegives. com 
vodka foryou. info 
top videosweden. com 

Responding to (64.79.76.226) is also the following 
domain: 

sila Ii. info 

Known to have responded to the same IP 
(64.79.76.226) is also the following domain: 

promvideo.pw 

Related posts: 

[1] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[2] Malware-Serving "Who's Viewed Your Facebook Profile" 
Campaign Spreading Across Facebook 

[3] Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook 

[4] Phishing Campaign Spreading Across Facebook 

[5] Facebook Malware Campaigns Rotating Tactics 

[6] MySpace Phishers Now Targeting Facebook 

[7] Facebook Photo Album Themed Malware Campaign, Mass 
SQL Injection Attacks Courtesy of AS42560 



[8]Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

1. http://ddanchev.blo as DOt.com/20Q9/lQ/koobface-botnet- 
redirects-facebooks-ip.html 

2. http://ddanchev.blo as pot.com/2Q13/Q6/malware-servin a- 
whos-viewed-vour.html 

3. http://ddanchev.blo as pot.com/2Q13/Q5/fake-facebook- 
profile-s py-ap piication.html 

4. http://ddanchev.blo as pot.com/2QQ8/Q6/phishin a- 
campai a n-spreadin a -across.html 

5. http://ddanchev.blo as pot.com/20Q8/Q8/facebook- 
malware-campai a ns-rotatin a .html 

6. http://ddanchev.blo as pot.com/2QQ8/01/m vs pace- 
phishers-now-tar a etin a -facebook.html 

7. http://ddanchev.blo as pot.com/2QlQ/Q6/facebook-photo- 
album-themed-malware.html 


8. http://ddanchev.blo as pot.com/2QlQ/Ql/facebookaol- 
u pdate-tool-spam-campai a n.html 
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Summarizing Webroot's Threat Blog Posts for June 
(2013-07-04 18:38) 

The following is a brief summary of all of my posts at 

[1] Webroot's Threat Blog forjune, 2013. You can 
subscribe to 

[2] Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 


01 . 

[3]Compromised FTP/SSH account privilege-escalating mass 
iFrame embedding platform released on the 

underground marketplace 

02. [4]New E-shop sells access to thousands of hacked PCs, 
accepts Bitcoin 

03. [5]Pharmaceutical scammers impersonate Facebook's 
Notification System, entice users into purchasing counter¬ 
feit drugs 

04. [6]iLivid ads lead to 'Searchqu Toolbar/Search Suite' 
PUA (Potentially Unwanted Application) 

05. [7]Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, 
Skype, Twitter, Instagram, Tumblr, Freelancer accounts 

offered for sale 

06. [8]Scammers impersonate the UN Refugee Agency 
(UNHCR), seek your credit card details 


07. [9]Fake 'Unsuccessful Fax Transmission' themed emails 
lead to malware 



08. [10]Tens of thousands of spamvertised emails lead to 
W32/Casonline 

09. [ll]Rogue ads lead to SafeMonitorApp Potentially 
Unwanted Application (PUA) 

10. [12]How cybercriminals apply Quality Assurance (QA) 
to their malware campaigns before launching them 

11. [13]Rogue ads target EU users, expose them to 
Win32/Toolbar.SearchSuite through the KingTranslate PUA 

12. [14]New boutique iFrame crypting service spotted in 
the wild 

13. [15]Rogue 'Oops Video Player' attempts to visually 
social engineer users, mimicks Adobe Flash Player's 
installation process 
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14. [16]New E-Shop sells access to thousands of malware- 
infected hosts, accepts Bitcoin 

15. [17]New subscription-based SHA256/Scrypt supporting 
stealth DIY Bitcoin mining tool spotted in the wild 

16. [18]Rogue 'Free Mozilla Firefox Download' ads lead to 
'InstallCore' Potentially Unwanted Application (PUA) 

17. [19]SIP-based API-supporting fake caller ID/SMS number 
supporting DIY Russian service spotted in the wild 

18. [20]Rogue 'Free Codec Pack' ads lead to 
Win32/lnstallCore Potentially Unwanted Application (PUA) 

19. [21]Self-propagating ZeuS-based source code/binaries 
offered for sale 



20. [22]How cybercriminals create and operate Android- 
based botnets 

This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter. 

1. htto://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. 

http://blo a .webroot.com/2Q13/Q6/Q3/compromised-ftpssh- 

account-privile a e-escalatin a -mass-iframe-embeddin a- 

platform-released-on-the-under a round-marketplace/ 

4. http://blo a .webroot.com/2Q13/Q6/Q4/new-e-shop-sells- 
access-to-thousands-of-hacked-pcs-accepts-bitcoin/ 

5. http://blo a .webroot.com/2Q13/Q6/Q5/pharmaceutical- 
scammers-impersonate-facebooks-notification-svstem-enti 

ce-users-into-purchasin a -counterfeit-dru as/ 

6. http://blo a .webroot.com/2Q13/Q6/Q6/ilivid-ads-lead-to- 
searchau-tooibarsearch-suite-pua-potentiallv-unwant 

ed-a p plication/ 

7. 

http://blo a .webroot.com/2Q13/Q6/Q7/hacked-ori a in-upla v- 

hulu-plus-netflix-spotifv-sk v pe-twitter-insta a ram- 


tumblr-freelancer-accounts-offered-for-sale/ 


















































8. http://blo a .webroot.com/2Q13/Q6/lQ/scammers- 
impersonate-the-un-refu g ee-a a encv-unhcr-seek-vour-credit- 
card 

s-details/ 

9. http://blo a .webroot.com/2Q13/Q6/ll/fake-unsuccessful- 
fax-transmission-themed-emails-lead-to-malware/ 

10. http://blo a .webroot.com/2Q13/Q6/12/tens-of-thousands- 
of-spamvertised-emails-lead-to-w32 cason line/ 

11. http://blo a .webroot.com/2013/Q6/13/ro a ue-ads-lead-to- 
safemonitora pp- potentiallv-unwanted-a p plication-pua/ 

12. http://blo a .webroot.com/2013/Q6/14/how- 
c vbercriminals-a pplv-a ualitv-assurance-aa-to-their-malware- 
campai a 

ns-before-launchin a -them/ 

13. http://blo a .webroot.com/2Q13/Q6/17/ro a ue-ads-tar a et- 
eu-users-expose-them-to-win32toolbar-searchsuite-thro 

ua h-the-kin a translate-pua/ 

14. http://blo a .webroot.com/2Q13/Q6/18/new-boutiaue- 
iframe-cr v ptin a -service-spotted-in-the-wild/ 

15. http://blo a .webroot.com/2013/Q6/19/ro a ue-oops-video- 
plaver-attem pts-to-visuallv-social-en a ineer-users-mim 

icks-adobe-flash- plavers-installation-process/ 

16. 

http://blo a .webroot.com/2Q13/Q6/2Q/new-e-shop-sells- 
access-to-thousands-of-malware- i nfected-hosts-acce |D 

































































ts-bitcoin/ 


17. http://blo a .webroot.com/2013/06/21/new-subscription- 
based-sha256scr v pt-su p portin a -stealth-div-bitcoin-min 

ina -tool-spotted-in-the-wild/ 

18. http://blo a .webroot.com/2013/Q6/24/ro a ue-free-mozilla- 
fi refox-down I oad-ads-lead-to-instal I core-potential I 

v-unwanted-a p plication-pua/ 

19. http://blo a .webroot.com/2013/Q6/25/sip-based-a pi- 
sup portin a -fake-caller-idsms-number-su p portin a -div-russi 

an-service-spotted-in-the-wild/ 

20. http://blo a .webroot.com/2013/Q6/26/ro a ue-free-codec- 
pack-ads-lead-to-win 32 install core-potential I v-unwante 

d-ap plication-pua/ 

21. http://blo a .webroot.com/2013/Q6/27/self-pro paa atin a- 
zeus-based-source-codebinaries-offered-for-sale/ 

22. http://blo a .webroot.com/2013/Q6/28/how- 
c vbercriminals-create-and-operate-android-based-botnets/ 

23. http://ddanchev.blo as pot.com/ 

24. http://twitter.com/danchodanchev 
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Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Gener¬ 
ates Unique Fakes On The Fly (2013-07-04 19:42) 


















































In my most recent analysis of the [l]Russian underground 
marketplace for fake documents/IDs/passports, I 

emphasized on overall prevalence of fake identities, which 
can be both, manually 'crafted' by experienced designers 

possessing high quality scanned originals in order to 
produce physical copies, or automatically generated, with 
the 

users sacrificing quality in the process or looking for a 
bargain deal. 

What's also worth emphasizing on in terms of discussing 
this cybercrime ecosystem market segment from 

multiple perspectives, is the overall international 
acceptance of scanned identification documents for various 
remote 

identification purposes, which opens doors to the systematic 
abuse of a vast number of legitimate services, as well 

as helps facilitate the generation of fake personalities, 
which can be abused in a any way the fraudster desires. 

What are some of the latest developments within this 
cybercrime ecosystem market segment? The introduc¬ 
tion of a scalable, [2]DIY (do it yourself) self-service on 
the basis of a pseudo-randomized database of fake identity 
data, photo IDs with randomized appearance characteristics 
on the fake scanned documents, to avoid detection of a 


single pattern, all available as a service, as of June, 2013. 



Basically, what this service does, is to provide a DIY Web 
based interface where users can take advantage of 

the on-the-fly generation of fake scanned copies of 
identification documents such as passports/IDs or credit 
cards. 

According to the vendor, the service has an inventory of 
over 200 photos for passports and IDs, is completely 

randomizing multiple aspects of the generated scanned 
fakes, in an attempt to mitigate the probability of having an 

entire set of statically generated fakes, easily detected by, 
for instance, law enforcement. 

The vendor also claims that the service can generate a fake 
in approximately 40 seconds. Payment methods 

accepted? WebMoney, PerfectMoney, Bitcoin and Paymer. 

Sample screenshots of sample scanned fakes 
generated using the service, and offered as samples: 
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Sample screenshots of the fake scanned utility 
bills/credit cards generated using the service: 
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Financial institutions part of the service's inventory 
of fake scanned credit cards: 

- Amegybank 

- Barclays 

- Bpn 

- Boa 

- Capital One 

- Chase 

- Cibs 

- Citibank 

- Citizens 

- Commonwealth 

- Harborstone 

- Hfds 


- Icba 
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- Nab 

- Natwest 

- Navy Federal 

- Nordstrombank 

- Rbs 

- Silverton 

- Societegenerale 

- Sparkasse 

- Union Plus 

- US Bank 

- Wachovia 

- Wells Fargo 

- Westpac 

With scanned IDs continuing to act as the primary (remote) 
identification factor for a huge number of legiti¬ 
mate companies, it shouldn't be surprising that 
cybercriminals have apparently found a way to automate 
the process, 

allowing it to scale, and eventually grow, with the efficiency- 
centered model becoming the de factor standard for 



[3]Quality Assurance (QA) within the cybercrime 
ecosystem. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5]on Twitter. 

1. http://ddanchev.blo as pot.com/2Q13/Q5/a-peek-inside- 
russian-under a round.html 

2. http://blo a .webroot.com/ta a /di v/ 

3. http://blo a .webroot.com/ta a/a ualitv-assurance/ 

4. http://ddanchev.blo as pot.com/ 

5. http://twitter.com/danchodanchev 
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Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Gener¬ 
ates Unique Fakes On The Fly (2013-07-04 19:42) 

In my most recent analysis of the [l]Russian underground 
marketplace for fake documents/IDs/passports, I 

emphasized on overall prevalence of fake identities, which 
can be both, manually 'crafted' by experienced designers 

possessing high quality scanned originals in order to 
produce physical copies, or automatically generated, with 
the 

users sacrificing quality in the process or looking for a 
bargain deal. 
















What's also worth emphasizing on in terms of discussing 
this cybercrime ecosystem market segment from 

multiple perspectives, is the overall international 
acceptance of scanned identification documents for various 
remote 

identification purposes, which opens doors to the systematic 
abuse of a vast number of legitimate services, as well 

as helps facilitate the generation of fake personalities, 
which can be abused in a any way the fraudster desires. 

What are some of the latest developments within this 
cybercrime ecosystem market segment? The introduc¬ 
tion of a scalable, [2]DIY (do it yourself) self-service on 
the basis of a pseudo-randomized database of fake identity 
data, photo IDs with randomized appearance characteristics 
on the fake scanned documents, to avoid detection of a 

single pattern, all available as a service, as of June, 2013. 

Basically, what this service does, is to provide a DIY Web 
based interface where users can take advantage of 

the on-the-fly generation of fake scanned copies of 
identification documents such as passports/IDs or credit 
cards. 

According to the vendor, the service has an inventory of 
over 200 photos for passports and IDs, is completely 

randomizing multiple aspects of the generated scanned 
fakes, in an attempt to mitigate the probability of having an 



entire set of statically generated fakes, easily detected by, 
for instance, law enforcement. 

The vendor also claims that the service can generate a fake 
in approximately 40 seconds. Payment methods 

accepted? WebMoney, PerfectMoney, Bitcoin and Paymer. 

Sample screenshots of sample scanned fakes 
generated using the service, and offered as samples: 
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Sample screenshots of the fake scanned utility 
bills/credit cards generated using the service: 
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Financial institutions part of the service's inventory 
of fake scanned credit cards: 

- Amegybank 

- Barclays 

- Bpn 

- Boa 

- Capital One 

- Chase 

- Cibs 

- Citibank 

- Citizens 

- Commonwealth 

- Harborstone 

- Hfds 

- Icba 
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- Nab 

- Natwest 

- Navy Federal 


- Nordstrombank 



- Rbs 


- Silverton 

- Societegenerale 

- Sparkasse 

- Union Plus 

- US Bank 

- Wachovia 

- Wells Fargo 

- Westpac 

With scanned IDs continuing to act as the primary (remote) 
identification factor for a huge number of legiti¬ 
mate companies, it shouldn't be surprising that 
cybercriminals have apparently found a way to automate 
the process, 

allowing it to scale, and eventually grow, with the efficiency- 
centered model becoming the de factor standard for 

[3]Quality Assurance (QA) within the cybercrime 
ecosystem. 

1. http://ddanchev.blo as DOt.com/2013/Q5/a-peek-inside- 
russian-under a round.html 

2. http://blo a .webroot.com/ta a /di v/ 

3. http://blo a .webroot.com/ta a/a ualitv-assurance/ 
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A Peek Inside a Managed OTP/ATS/TAN Token 
Bypassing/Hijacking/Blocking System as a (Licensed) 
Ser¬ 
vice (2013-07-19 22:43) 

One of the most common questions that I get during Q &A 
sessions after a PPT, or in a face-to-face conversation is - 

" Hello, my name is [name], I represent [random financial 
institution]. Are we being targeted based on your situational 
awareness ? 11 

For years, virtually every company, every brand, every 
financial institution has been targeted, largely thanks 

to the rise of Crimeware-as-a-Service underground market 
propositions offering standardized and cybercrime- 

release friendly 'Web Injects', the result of active pre-sale 
reconnaissance performed on the E-banking service of 

the targeted institution. The business model is fairly simple - 
next to 'pushing' a pre-defined set of 'Web Injects' for 

some of the largest and well known financial institutions in 
the World, 'Web Injects' for virtually any SSL/Two-Factor 

Authentication enabled Web site, can be requested and 
produced on demand, usually for a static amount of money. 

" But we issue two-factor authentication tokens to our 
customers. Isn't this making any change ?" 


Sophisticated cybercriminals possessing 'innovative' 
underground market disrupting forces, have been [l]un- 

dermining two-factor authentication for years. An 

uncomfortable truth that your financial institution of choice 

wouldn't necessarily want you to know about, as it would 
most commonly [2]risk-forward the responsibility to 
you, 

under a contractual agreement, or actually possess an 
industry-accepted certification for the operation of such 
online 

services, thanks to the introduction of two-factor 
authentication, and the internal security measures 
preventing a 

direct compromise of the financial institution's 
infrastructure. 

With source code for the [3]ZeuS crimeware, as well as 
[4]Carberp, publicly available for virtually anyone to 

download, it [5]shouldn't be surprising that 

[6]cybercriminals have started to release more 
crimeware, using 

these prominent releases, in an attempt to quickly 
capitalize on the source code that's been contributing to a 
huge 

percentage of the profitability of the cybercrime ecosystem 
in general. 

What are some of the latest 'innovations" in the world of 
Cybercrime-as-a-Service, in particular the market 



segment for "Web Injects"? Are cybercriminals striving to 
produce ZeuS/Carberp like underground market "prod¬ 
ucts", or are they attempting to disrupt the entire 
cybercrime ecosystem by offering a standardizing E- 
banking 

Web site reconnaissance services, that would work on 
virtually any publicly obtainable/leaked source code based 

crimeware/malware release? 
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That's exactly what the cybercriminal whose underground 
market proposition I'm about to profile, is doing - 

offering crimeware-independent standardized on demand 
"Web Injects", in particular OTP (One-Time-Password), 

ATS (Automatic Transfer Service), TAN (Transaction 
Authentication Number) bypassing/hijacking/blocking 
system, or 

in those cases where the customer demands - offer "finished 
crimeware products"? 

Sample automatically translated underground 
market proposition: 

/ am writing to inject custom-made as well as offer finished 
products. 

The main provisions of the Service: 

1 . 

Toots manufactures both private and public products. 



1.1 Under the private means software products 
manufactured "in one hand" with the full right to transfer 
and resale. 

The client of the right to require the source code private 
product. 

Support for the private software somewhere executed in 
priority order. 

1.2 If the "privacy" of the product is not stipulated in 
advance that product becomes the default public service 
and the right to sell it to other customers. 

1.3 Prices for private products involve premium of 50 % to 
the price of the underlying / social product. 

1.4 Distribution / Transmission of any parts of the code or of 
the products purchased on the basis of the public, will 

result in a denial of service on all products purchased from 
third-party service, followed by filing a complaint in section 
Black List. 

1.5 Public products are delivered on an "as is," and do not 
include its value of any additions or changes. 

1.5.1 Any changes to the products are made public as an 
additional order and measured in accordance with the work¬ 
load. 
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1.6 Service does not run on the lease terms. 

Only a piecework basis! 



1.7 Service does not give advice about cross-translation, 
relevance or affine those topics. 

For providing information about banks / cantor Service is 
not responsible. 

2 . 

Service is responsible for the performance of the paid code 
for the negotiated period. 

2.1 If the period of service is not verbalized it enters into 
force standard warranty period is 10 days from the date of 
issue of working product. 

3. 

Warranties: 

3.1 The Service shall recover from the purchased products 
for a specified warranty period, for that is technically 
possible. 

Free of charge - during the warranty period, and the charge 
on the expiration of the warranty period. 

Prices for the repair of products range from $ 10 up to the 
full cost of the product and depend directly on the volume 

of the work. 

3.2. 

Service is not responsible for the failure of performance 
caused by the code: 

3.2.1 The introduction of third-party software which 
prevents full operation. 



(Rapport) 

3.2.2 The introduction of sms / email notifications 
that can not be disabled by means of injection. 

3.2.3 The introduction of this activity exhibiting 
malicious code (without the possibility of 
elimination) 

3.2.4 The other changes in the source code of banks / sites 
prevent recovery of the product. 
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3.3 The Service does not guarantee a return to work 
ordered acquired products, but only can guarantee the 
perfor¬ 
mance of the software according to the negotiated terms of 
reference. 

4. 

Approximate prices for soft (public foundation) 
grabber balance of $ 10 (1 unit) 
popup $ 70 

Fake full page from $150 

repleyser from $ 450 (3 units each include an additional $ 
50.. 100) 


grabbers data from 150 $ 


Automated OTP/ATS/TAN from $ 2500 

Sample explanation of the service in action, 
courtesy of the cybercriminal behind it: 
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Sample screenshots of the service in action: 
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Sample screenshot of the ATSEngine in action 
targeting HSBC: 
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Some of the most recent updates to the system 
include: 


01 / 11/2012 

- Sets 
full info 
grabbers 
for 

AU ( 37 banks 
)/ CA (30 banks 
) / US (40 banks ). Data on 
Holder to 

SSN / MMN/ DOB / DL / DL exp / VBV... 
01 / 11/2012 - 
Grabbers 

CC + VBV (paypal, ebay, amazon, facebook) 

01 / 11/2012 
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- The system 
change 
number and 
Grading 


necessary 



disk imaging 

(input issues, balance sheets) for the Gulf 
santanderco.uk (instant on 
UK 
to 

lOkGBP) 

02 / 11/2012 

Grabber 

additional data for 
pay pat (DE / UK/ AU / 
with 

the possibility 
to add 

other countries). Collects : Name 
Holder, Balance , Status ( verif / 
neverif), Account Type , Time of the last 
entry 

, as well as 


rooms full 



of affection 


card and / 
or 

bank 
accounts 
for the 
AU 

and the 
UK, 

and questions 
526 

with answers 

for 

DE 

13/11/2012 

Grabber 

TANs 

to 

ipko.pl 



23/11/2012 


Avtozaliv 

on 

hsbc.co. uk 
23/11/2012 

Grabber 

cc + cvv + exp + pin. 
works 

on all pages 
on which the 
algorithm 
finds 
on 

LUHN10 

card number and 
exp 

field and 


collects 



requests 

PIN 

11/29/2012 
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intercept system 

/ 

bypass 

token 

to 

fnb.co.za 

Two-factor authentication - indeed, an additional layer of 
security for your E-banking account, however, everything 

changes on a crimeware-infected host, and sadly, it changes 
in favor of the cybercriminal that compromised it. 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/modern-banker- 
malware-undermines-two-factor-authentication/4402 

2. http://www.zdnet.com/blo a /securitv/no-securitv-software- 
no-e-bankin a -fraud-daims-for-vou/1158 













3. httPs://www. a oo a le.com/#output=search&scl]ent= psv- 
ab&a = site:ddanchev.blo as pot.com+zeus 

4. https://blo a s.rsa.com/the-carberp-code-leak/ 

5. http://blo a .webroot.com/2Q13/Q3/14/new-zeus-source- 
code-based-rootkit-available-for-purchase-on-the-under 

g round-market/ 

6. http://blo a .webroot.com/2Q13/Q6/27/self-pro paa atin a- 
zeus-based-source-codebinaries-offered-for-sale/ 

7. http://ddanchev.blo as pot.com/ 

8. http://twitter.com/danchodanchev 
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A Peek Inside a Managed OTP/ATS/TAN Token 
Bypassing/Hijacking/Blocking System as a (Licensed) 
Ser¬ 
vice (2013-07-19 22:43) 

One of the most common questions that I get during Q &A 
sessions after a PPT, or in a face-to-face conversation is - 

" Hello, my name is [name], I represent [random financial 
institution]. Are we being targeted based on your situational 
awareness ?" 

For years, virtually every company, every brand, every 
financial institution has been targeted, largely thanks 























to the rise of Crimeware-as-a-Service underground market 
propositions offering standardized and cybercrime- 

release friendly 'Web Injects', the result of active pre-sale 
reconnaissance performed on the E-banking service of 

the targeted institution. The business model is fairly simple - 
next to 'pushing' a pre-defined set of 'Web Injects' for 

some of the largest and well known financial institutions in 
the World, 'Web Injects' for virtually any SSL/Two-Factor 

Authentication enabled Web site, can be requested and 
produced on demand, usually for a static amount of money. 

" But we issue two-factor authentication tokens to our 
customers. Isn't this making any change ?" 

Sophisticated cybercriminals possessing 'innovative' 
underground market disrupting forces, have been [l]un- 

dermining two-factor authentication for years. An 

uncomfortable truth that your financial institution of choice 

wouldn't necessarily want you to know about, as it would 
most commonly [2]risk-forward the responsibility to 
you, 

under a contractual agreement, or actually possess an 
industry-accepted certification for the operation of such 
online 

services, thanks to the introduction of two-factor 
authentication, and the internal security measures 
preventing a 



direct compromise of the financial institution's 
infrastructure. 

With source code for the [3]ZeuS crimeware, as well as 
[4]Carberp, publicly available for virtually anyone to 

download, it [5]shouldn't be surprising that 

[6]cybercriminals have started to release more 
crimeware, using 

these prominent releases, in an attempt to quickly 
capitalize on the source code that's been contributing to a 
huge 

percentage of the profitability of the cybercrime ecosystem 
in general. 

What are some of the latest 'innovations" in the world of 
Cybercrime-as-a-Service, in particular the market 

segment for "Web Injects"? Are cybercriminals striving to 
produce ZeuS/Carberp like underground market "prod¬ 
ucts", or are they attempting to disrupt the entire 
cybercrime ecosystem by offering a standardizing E- 
banking 

Web site reconnaissance services, that would work on 
virtually any publicly obtainable/leaked source code based 

crimeware/malware release? 
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That's exactly what the cybercriminal whose underground 
market proposition I'm about to profile, is doing - 



offering crimeware-independent standardized on demand 
"Web Injects", in particular OTP (One-Time-Password), 

ATS (Automatic Transfer Service), TAN (Transaction 
Authentication Number) bypassing/hijacking/blocking 
system, or 

in those cases where the customer demands - offer "finished 
crimeware products"? 

Sample automatically translated underground 
market proposition: 

/ am writing to inject custom-made as well as offer finished 
products. 

The main provisions of the Service: 

1 . 

Tools manufactures both private and public products. 

1.1 Under the private means software products 
manufactured "in one hand" with the full right to transfer 
and resale. 

The client of the right to require the source code private 
product. 

Support for the private software somewhere executed in 
priority order. 

1.2 If the "privacy" of the product is not stipulated in 
advance that product becomes the default public service 
and the right to sell it to other customers. 

1.3 Prices for private products involve premium of 50 % to 
the price of the underlying / social product. 



1.4 Distribution / Transmission of any parts of the code or of 
the products purchased on the basis of the public, will 

result in a denial of service on all products purchased from 
third-party service, followed by filing a complaint in section 
Black List. 

1.5 Public products are delivered on an "as is," and do not 
include its value of any additions or changes. 

1.5.1 Any changes to the products are made public as an 
additional order and measured in accordance with the work¬ 
load. 
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1.6 Service does not run on the lease terms. 

Only a piecework basis! 

1.7 Service does not give advice about cross-translation, 
relevance or affine those topics. 

For providing information about banks / cantor Service is 
not responsible. 

2 . 

Service is responsible for the performance of the paid code 
for the negotiated period. 

2.1 If the period of service is not verbalized it enters into 
force standard warranty period is 10 days from the date of 
issue of working product. 


3 . 



Warranties: 


3.1 The Service shall recover from the purchased products 
for a specified warranty period, for that is technically 
possible. 

Free of charge - during the warranty period, and the charge 
on the expiration of the warranty period. 

Prices for the repair of products range from $ 10 up to the 
full cost of the product and depend directly on the volume 

of the work. 

3.2. 

Service is not responsible for the failure of performance 
caused by the code: 

3.2.1 The introduction of third-party software which 
prevents full operation. 

(Rapport) 

3.2.2 The introduction of sms / email notifications 
that can not be disabled by means of injection. 

3.2.3 The introduction of this activity exhibiting 
malicious code (without the possibility of 
elimination) 

3.2.4 The other changes in the source code of banks / sites 
prevent recovery of the product. 
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3.3 The Service does not guarantee a return to work 
ordered acquired products, but only can guarantee the 
perfor¬ 
mance of the software according to the negotiated terms of 
reference. 

4. 

Approximate prices for soft (public foundation) 
grabber balance of $ 10 (1 unit) 
popup $ 70 

Fake full page from $150 

repleyser from $ 450 (3 units each include an additional $ 
50 .. 100) 

grabbers data from 150 $ 

Automated OTP/ATS/TAN from $ 2500 

Sample explanation of the service in action, 
courtesy of the cybercriminal behind it: 
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Sample screenshots of the service in action: 
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Sample screenshot of the ATSEngine in action 
targeting HSBC: 
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Some of the most recent updates to the system 
include: 

01 / 11/2012 

- Sets 

full info 

grabbers 

for 

Ail (37 banks 

) / CA (30 banks 

)/ US (40 banks ). Data on 


Holder to 


SSN / MMN/ DOB / DL / DL exp / VBV... 
01 / 11/2012 - 
Grabbers 

CC + VBV (paypal, ebay, amazon, facebook) 

01 / 11/2012 
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- The system 
change 
number and 
Grading 
necessary 
disk imaging 

(input issues, balance sheets) for the Gulf 
santanderco.uk (instant on 
UK 
to 

lOkGBP) 


02 / 11/2012 



Grabber 


additional data for 
pay pa i (DE / UK/ AU / 
with 

the possibility 
to add 

other countries). Collects : Name 
Holder, Balance , Status ( verif / 
neverif), Account Type , Time of the last 
entry 

, as well as 
rooms full 
of affection 
card and / 
or 

bank 
accounts 
for the 
AU 


and the 



UK, 

and questions 
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with answers 

for 

DE 

13/11/2012 

Grabber 

TANs 

to 

ipko.pl 

23/11/2012 

Avtozaliv 

on 

hsbc.co. uk 
23/11/2012 


Grabber 



cc + cvv + exp + pin. 
works 

on all pages 
on which the 
algorithm 
finds 
on 

LUHN10 

card number and 
exp 

field and 
collects 
requests 
PIN 

11/29/2012 

540 

intercept system 
/ 

bypass 



token 


to 

fnb.co.za 

Two-factor authentication - indeed, an additional layer of 
security for your E-banking account, however, everything 

changes on a crimeware-infected host, and sadly, it changes 
in favor of the cybercriminal that compromised it. 

1. http://www.zdnet.com/blo a /securitv/modern-banker- 
malware-undermines-two-factor-authentication/4402 

2. http://www.zdnet.com/blo a /securitv/no-securitv-software- 
no-e-bankin a -fraud-claims-for-vou/1158 

3. httPs://www. a oo a le.com/#output=se3rch&sclient= psv- 
ab&a^site:ddanchev.blo as pot.com+zeus 

4. https://blo a s.rsa.com/the-carberp-code-leak/ 

5. http://blo a .webroot.com/2Q13/Q3/14/new-zeus-source- 
code-based-rootkit-available-for-purchase-on-the-under 

g round-market/ 

6. http://blo a .webroot.com/2Q13/Q6/27/self-pro paa atin a- 
zeus-based-source-codebinaries-offered-for-sale/ 
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Cybercriminals 
Release 
New 
DIY 
Fake 
Account 
Registra¬ 
tion/Management/Promotion Tool (2013-07-23 17:01) 

In 2013, CAPTCHAs represent an [l]outdated approach 
for a Web site wanting to prevent the [2]efficient and 

systematic abuse of its services. 

This fact, largely driven by the rise of [3]cost-effective 
CAPTCHA solving solutions offered by low-waged indi¬ 
viduals internationally over the last couple of years, 
continues to empower virtually anyone possessing the right 

cybercrime-friendly tools, with the ability to [4]abuse any 
major Web property in a potentially fraudulent or 

malicious way. 

In this post, I'll profile one of the most recently released DIY 
fake account registration/management/promoting tool, 



targeting Instagram, highlight its core features, as well as 
emphasize on the true impact that these tools are having 

on some of the world's most popular Web properties. 

Sample screenshots of the tool in action: 
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Some of its core features are: 

• support for multi-threads 

• set number ot accounts to generate using a single proxy 
(malware-infected host) 

• randomization of the posted bogus content to avoid easy 
detection of the pattern 

• male/female fake account creating capabilities 

• mass account validity checking capabilities 

• CAPTCHA-solving integration with third-party CAPTCHA 
solving services 

Over the years, I've been extensively profiling campaigns 
utilizing purely legitimate infrastructure for achieving 

the fraudulent/malicious objectives set by the cybercriminal 
behind the campaign. These cases demonstrate that 

cybercriminals continue to pursue the efficient and 
systematic abuse of legitimate Web properties, which on the 

other hand, continue relying on CAPTCHA challenges to 
differentiate between bots and humans using the site, 

forgetting that it's actually humans solving the CAPTCHAs 
for the their customers. 


24/7/365. 


Known cases of abuse of legitimate infrastructure 
for fraudulent/malicious purposes over the years 
include: 

• [5]Bogus "Shocking Video" Content at Scribd Exposes 
Malware Monetization Scheme Through Parked Domains 

• [6]Fake Codec Serving Domains from Digg.corn's Comment 
Spam Attack 

• [7]Bogus Linkedln Profiles Redirect to Malware and Rogue 
Security Software 
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• [8]Dissecting the Bogus Linkedln Profiles Malware 
Campaign 

• [9]From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

• [10]Celebrity-Themed Scareware Campaign Abusing 
DocStoc and Scribd 

• [ll]Celebrity-Themed Scareware Campaign Abusing 
DocStoc 

• [12]From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

• [13]Pharmaceutical Spammers Targeting Linkedln 

This post has been reproduced from [14]Dancho 
Danchev's blog. Follow him [15]on Twitter. 

1. http://ddanchev.blo as pot.com/2QQ9/Q6/peek-inside- 
mana a ed-blackhat-seo.html 







2. http://blo a .webroot.com/2Q13/Q4/23/captcha-solvin a- 
russian-email-account-re a istration-tool-helps-facilita 

te-cvbercrime/ 

3. http://www.zdnet.com/blo a /securitv/inside-indias- 
ca ptcha-solvin a -economv/1835 

4. http://blo a .webroot.com/2Q13/Ql/15/cvbercriminals- 
release-automatic-captcha-solvin a -bo a us-voutube-account 

-a eneratin a -tool/ 

5. http://ddanchev.blo as pot.com/2013/Q6/bo a us-shockin a¬ 
vi deo-content-at-scribd.html 

6. http://ddanchev.blo as pot.com/2QQ9/Q2/fake-codec- 
servin a -domains-from.html 

7. http://ddanchev.blo as pot.com/2QQ9/Q4/bo a us-linkedin- 
profjies-red i rect-fQ.html 

8. http://ddanchev.blo as pot.com/2QQ9/Ql/dissectin a -bo aus- 
linkedin-profiles.html 

9. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukraine- 
with-scareware-servin a .html 

10. http://ddanchev.blo as pot.com/2QQ9/12/celebrit v- 
themed-scareware-campai a n.html 

11. http://ddanchev.blo as pot.com/2QQ9/12/celebrit v- 
themed-scareware-campai a n Q7.html 

12. http://ddanchev.blo as pot.com/2QQ9/Q7/from-ukraine- 
with-bo a us-twitter.html 



























































13. http://ddanchev.blo as pot.com/2QQ9/Q2/pharmaceutical- 
s oammers-tar a etin a .html 

14. http://ddanchev.blo as oot.com/ 

15. http://twitter.com/danchodanchev 
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Summarizing Webroot's Threat Blog Posts for July 
(2013-08-01 19:01) 

The following is a brief summary of all of my posts at 

[1] Webroot's Threat Blog forjuly, 2013. You can 
subscribe to 

[2] Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 

01. [3]Cybercriminals experiment with Tor-based C &C, ring- 
3-rootkit empowered, SPDY form grabbing malware bot 


02 . 

[4]Deceptive ads targeting German users lead to the 
'W32/SomotoBetterlnstaller' Potentially Unwanted 


Application (PUA) 











03. [5]Newly launched underground market service 
harvests mobile phone numbers on demand 

04. [6]Novel ransomware tactic locks users' PCs, demands 
that they participate in a survey to get the unlock code 

05. [7]Spamvertised 'Export License/Invoice Copy' themed 
emails lead to malware 

06. [8]Cybercriminals spamvertise tens of thousands of fake 
'Your Booking Reservation at Westminster Hotel' themed 

emails, serve malware 

07. [9]New commercially available mass FTP-based proxy¬ 
supporting doorway/malicious script uploading application 

spotted in the wild 

08. [10]Fake 'iG04 Private Car Insurance Policy Amendment 
Certificate' themed emails lead to malware 

09. [ll]Tens of thousands of spamvertised emails lead to 
the Win32/PrimeCasino PUA (Potentially Unwanted 

Application) 

10. [12]Spamvertised 'Vodafone U.K MMS ID/Fake Sage 50 
Payroll' themed emails lead to (identical) malware 

11. [13]New commercially available Web-based 
WordPress/Joomla brute-forcing tool spotted in the wild 

12. [14]Rogue ads targeting German users lead to 
Win32/lnstallBrain PUA (Potentially Unwanted Application) 
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13. [15]Yet another commercially available stealth 
Bitcoin/Litecoin mining tool spotted in the wild 

14. [16]Deceptive 'Media Player Update' ads expose users 
to the rogue 'Video Downloader/Bundlore' Potentially 

Unwanted Application (PUA) 

15. [17]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities 

16. [18]Fake 'Copy of Vodafone U.K Contract/Your Monthly 
Vodafone Bill is Ready/New MMS Received' themed 

emails lead to malware 

17. [19]Rogue ads lead to the 'Free Player' Win32/Somoto 
Potentially Unwanted Application (PUA) 

18. [20]How much does it cost to buy one thousand 
Russian/Eastern European based malware-infected hosts? 

19. [21]Custom USB sticks bypassing Windows 7/8's 
AutoRun protection measure going mainstream 

20. [22]DIY commercially-available 'automatic Web site 
hacking as a service' spotted in the wild 

This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter. 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 





3. http://blo a .webroot.com/2Q13/Q7/Q2/cvbercriminals- 
experiment-with-tor-based-cc-rin a -3-rootkit-emoowered-s 

pd v-form- a rabbin a -malware-bot/ 

4. http://blo a .webroot.com/2Q13/Q7/Q3/deceptive-ads- 
targ etin a - g erman-users-lead-to-the-w32somotobetterinstal 

ler-potentiallv-unwanted-a p plication-pua/ 

5. http://blo a .webroot.com/2Q13/Q7/Q4/newlv-launched- 
under a round-market-service-harvests-mobi I e-phone-number 

s-on-demand/ 

6 . 

http://blo a .webroot.com/2Q13/Q7/Q8/novel-ransomware- 

tactic-iocks-users-pcs-demands-that-the v- participate- 

in-a-survev-to- a et-the-un lock-code/ 

7. http://blo a .webroot.com/2Q13/Q7/Q9/spamvertised- 
export-licensemvoice-co p y-themed-emaiis-lead-to-malware/ 

8. http://blo a .webroot.com/2Q13/Q7/lQ/cvbercriminals- 
s pamvertise-tens-of-thousands-of-fake-vour-bookin a -rese 

rvation-at-westminster-hotel-themed-emails-serve-malwar 

9. http://blo a .webroot.com/2Q13/Q7/ll/new-commerciall v- 
available-mass-ftp-based-proxv-su p portin a -doorwavmali 

cious-script-uploadin a-ap plication-spotted-in-the-wild/ 

10. http://blo a .webroot.com/2Q13/Q7/12/fake-i a o4-private- 
car-insurance-policv-amendment-certificate-themed-em 





































































ails-lead-to-malware/ 


11. http://blo a .webroot.com/2013/Q7/15/tens-of-thousands- 
of-s p a m v e rt i sed - e m a i I s-1 ea d - t o - t h e - w i n 3 2 p r i m ec a s in o - 

pua-potentiallv-unwanted-a p plication/ 

12 . 

http://blo a .webroot.com/2013/Q7/16/spamvertised- 

vodafone-u-k-mms-idfake-sa a e-50- pa vroll-themed-emails-l 

ead-to-identical-malware/ 

13. http://blo a .webroot.com/2013/Q7/17/new-commerciall v- 
available-web-based-wordpress i oomla-brute-forcin a -too 

l-spotted-in-the-wild/ 

14. http://blo a .webroot.com/2013/Q7/19/ro a ue-ads- 
tara etin a-a erman-users-lead-to-win 32 install brain-oua- 
ootenti 

allv-unwanted-a p plication/ 

15. http://blo a .webroot.com/2013/Q7/22/vet-another- 
commerciallv-available-stealth-bitcoinlitecoin-minin a -tool 

-s potted-in-the-wild/ 

16. 

http://blo a .webroot.com/2013/Q7/23/deceptive-media- 

plaver-update-ads-expose-users-to-the-ro a ue-video-dQ 

wn Ioaderbundlore-potential I v-unwanted-a p plication-pua/ 
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http://blo a .webroot.com/2Q13/Q7/24/newlv-launched-htt P- 

based-botnet-setuo-as-a-service-emoowers-novice- 
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Dissecting a Sample Russian Business Network (RBN) 
Contract/Agreement Through the Prism of RBN's 

AbdAllah Franchise (2013-08-10 21:10) 

[l]The Russian Business Network (RBN), is perhaps the 
most speculated, buzzed about, cybercrime enterprise in 

the World, a poster child for fraudulent activity 'streaming' 
from 'Mother Russia', in the eyes of respected/novice 

security/cybercrime researchers across the globe. 

However, what a huge percentage of the researchers who're 
just catching up with its '[2]fraudulent perfor¬ 
mance metrics' over the years, don't realize, is how a 
newly emerged bulletproof hosting provider, managed to 
end 

up, as the World's most prolific source of 
fraudulent/malicious activity. 

Hint: Basic business concepts like franchising, signalling the 
early stages of the modernization/professionalization of 

cybercrime, where being the benchmark has had a direct 
inspirational impact in the 'hearts and minds' of current 

and potential cybercriminals, then and now. 





Case in point is [3]Abdallah Internet Hizmetleri also 
known as AbdAllah (VN), an ex-RBN darling relying on 

the franchise business concept. 

In this post, I'll discuss a sample contract/contractual 
agreement that every one of its customers had to sign 

before doing business with them, which in the broader 
context leads to a situation, where while the franchise is 

publicly advertising the bulletproof hosting services for 
trojans, exploits, warez, adult content, drop projects, botnets 
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and spam, it's explicitly forbidding such activities - with 
some visible exceptions - in its contractual agreement. 

What does this mean? It means that the Russian Business 
Network, the benchmark for the majority of ex/currently 

active bulletproof hosting providers, has been (legally) 
forwarding the responsibility for the fraudulent activity 

to its customers, in between reserving the right to act and 
deactivate their accounts if they ever violate the 

agreement/contract. The first thing that comes to my mind 
when it comes to the RBN 'reaction' in a socially 

oriented manner, are the infamous [4]RBN Fake Account 
Suspended Notices, and that's just for starters, indicating 
a 

deteriorated understanding of malicious/fraudulent activity, 
with high profit margins in mind. 



Let's go through the contract/agreement that every 
customer used to sign, before doing cybercrime-friendly 


business with them, both in original Russian, and 
automatically translated in English. 

Sample AbdAllah (VN) Contractual Bulletproof 
Hosting Agreement/Contract in Russian: 

1. n PE/1 MET norOBOPA 

1.1. 3aKa3HMK nopynaer, a 1/ICnOflHI/ITE/lb 6eper na ce6n 
o6x3aTe/ibCTBa no pa3Mem,eHi/iK) i/i/i/ini/i peri/icrpapi/n/i 

Bnprya/ibHoro cepsepa 3AKA3HI/IKA b cern lAHTepner. 

2. YC/IOBIAP BblllO/lHEHl/IfJ AOTOBOPA 

2 . 1 . 

no 3aK/ifOHeHMfo HacTOBLpero floroBopa 1/ICnO/IHI/ITEflb 
npoM3BOflHT nepBOHana/ibHyto ycraHOBKy 

i/i Hacrpoi/Ky Bi/iprya/ibHoro cepBepa i/i o6ecneHi/iBaer 
3AKA3HI/JKA Heo6xop,i/iMoi/i nHCpopMapnen fl/ix 

a,n,Mi/iHi/iCTpi/ipoBaHi/ifi Bi/iprya/ibHoro cepBepa. 

2 . 2 . 

1/ICnOJlHI/ITEJlb o6ecneHMBaer flocryn b cern 1/lHTepHer k 
Bi/iprya/ibHOMy cepsepy, a rax we 

pa6orocnoco6HOCTb Bcex flocrynHbix cepai/icos 
3AKA3HI/IKA Kpyr/iocyroHHO b reneHi/ie ceMi/i a Hen b 
ne^emo. 


3. l/EHbl I/I nOPPflOK On/lATbl 



3.1. 


Croi/iMOCTb i/i nopnflOK on/iarbi pa6or no HacTompeMy 
floroBopy Ha momght ero 3aK/noHeHi/iB 

onpefle/ifiercfi b cootbgtctbi/ii/i c fierier By hdlui/imi/i 
yc/iOBMXMM, pacnpocrpaHfieMbiMi/i corpyfiHi/iKaMi/i no E- 

Mail m/m/im ICQ. 

3.2. 

On/iara bhocmtcb 3AKA3HI/IK0M b oner on/iarbi ycnyrn 
noflflep/KKM BiApryanbHoro Be6-cepBepa 

1/ICnO/lHl/ITE/lEM. 1/ICnOJlHI/ITEJlb BnpaBe npi/iocraHOBi/iTb 
npeflocraB/ieHi/ie ycnyr npi/i orpi/iuarenbHOM 

coctoahi/ii/i cnera. 

3.3. 

Bee BbifleneHHbie cepsepbi npefiocraB/iniOTcn b coctohhi/ii/i 
UNMANAGED, r.e afiMiAHiAcrparopbi 

1/ICnOflHI/ITE/lfl Moryr, ho He 0ES3AHbl HacrpaiABarb 
apeHflyeMbifi cepBep. 3a mo6yio HacrporiKy cepBepa 

3AKA3HI/1KA, ni/i6o CKpnnroB Ha HeM - B3biMaercfi nnara b 
pa3Mepe 50 US D/3 a 1 <v a c pa6orbi afiMi/iHi/icrparopa 

l/ICFlOJlHI/ITEJlfl no BameMy Bonpocy, Mi/iHi/iMyM non naca. 
no/iHoe aflMi/iHi/icrpi/ipoBaHi/ie cepBepa cneui/iani/icraMi/i 

1/ICnOflHl/lTEJlH ctoi/it 250 USD b wiectm. 

BecnnaTHO ocymecTB/ineTCfi nepe3arpy3Ka cepBep (ecni/i 
Her 



aBTOMari/iHecKOi/i tpopMbi arm aroro). 

3.4. B c/iynae He onnarbi ycnyr 3AKA3HI4K0M b noc/ie/iHMM 
fleHb 6i/inni/iHroBoro nepi/ioua, flaHHb/e 3AKA3HI/IKA 

yfla/ixfOTCfl no HacrynneHi/iio hobbix cyrox 6e3 B03spaTH0. 

B c/iynae Bi/ipryanbHoro xocri/iHra y^a/wercx 

aKKayHT 1/1 see 6ai<anbi fxaHHoro aKKayHra, b cnynae 
apeHflbi cepBepa (dedicated n/in vps) cepBep CHMMaerca c 

odc/iywi/iBaHi/ifl, cfiopMa ri/ipyio tcb wecrKi/ie ai/icki/i. 

4. OTBETCTBEHHOCTb CTOPOH 
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4.1. 

l/ICFiOJlHI/ITEJlb He Hecer OTBercTBeHHOCTM nepefl 
3AKA3HI/IK0M h/ih TperbMMiA CToponawin 3a 

mo6bie 3aflep>KKi/i, npepbmaHi/m, ymep6 i/ini/i norepi/i, 
npoi/icxo/imni/ie i/i3-3a: 

(a) flecpeKTOB b / ho6om aneKrpoHHOM i/ini/i MexaHi/inecKOM 
o6opy/]OBaHMM, He npi/Ha^/ie/KaipeM 1/ICFIO/IHI/ITEflK); 

(6) npodneM npn nepe^ane flaHHbtx i/ini/i coefli/iHeHi/n/i, 
npoH30Lue^LUHX He no anne l/ICFIO/lHI/ITE/lfl; 

(b) BC/ieflCTBi/ie o6cToxTe/ibCTB Henpeoflo/ii/iMoi/i ci/inbi b 
o6menpnHfiTOM CMbic/ie, T.e. Hpe3Bbnai/iHbiMH ci/inaMi/i 

h HenpeflOTBpari/iMbiMi/i o6cTOBTenbCTBaMi/i, He 
noA/ie/KaiuMMi/i pa3yMH0My koht porno; 


(r) flaB/ieHi/ie bji a ere m. 



4 . 2 . npi/i pacTop>KeHi/ii/i floroBopa no i/iHi/ 1141 /iaTi/iBe 
3AKA3HI/IKA, Hencnonb 30 BaHHdB nacrb asanca 3AKA3HI4KY 
He 

B03BpaiuaeTCB. 


4.3. 

1/ICnOJlHI/ITEJlb ocraB/ineT 3a codori npaao 
npnocraHOBHTb odcjjyjKMBaHMe 3AKA3HI/IKA mjjm 

pacroprHyTb fioroBop b 6e3ycjiOBHOM nopafiKe 6e3 
B03BpameHun cpencTB 3aKa3HMKy b cjienyiomMx 
cjjyaaax: 

- pa3Mememie neTCKOM nopHorpatpun m 300<Pmjjmm b 
/ uodoM BMfie; 

- nonbiTKM B3/iOMa, HecaHKU,noHnpoBaHHoro 
npoHMKHOBeHHR Ha cepBep, b aKxayHTbi fipyrnx 

KJlHeHTOB, 

nonbiTKH nopnti odopyfiOBaHMa mjjm nporpaMMHoro 
odecneaeHna; 

- nonbiTKM B3noMa npaBMTenbCTBeHHbix opraHM3au,Mri 
b jjjo6om BMfie; 

- nonbiTKM cnaMa jho6oto pona c HauiMx cepBepos 
BMprya/ibHoro xocrMHra, xpoMe xax nepe3 cokcu; 

- nonbiTKM (pMLUMHra 6 bhkob (xpajKa fieHer); 

- pa3MemeHMe MHtpopMafi mm no ToproBJie opymneM m 
H apKOTMKaMM, TOpTOBJIB JIIOfibMM MJJM OpraHaMM 

jj jo fieri, Bbi3biBaiOLfiMe Me»<HafiMOHajibHyio m 
peJJMTM03HyJ0 p03Hb, npM3bIBaJOLfiyiO K BOMHe M 



HacM/iHK >; 


- HeonpaBnaHHan neperpy3Ka BbiHHcnnrenbHbix 
MomHOcreu cepBepa BupryanbHoro xocri/inra 
(nonycKaercn 

Mcno/ib30BaTb He donee 5 % moluhoctm npou,eccopa h 
H e donee 128Md oneparuBHOM naMRTH cepBepa); 

- nonbiTKH B3noMa c cepaepoa (dedicated h 
B upryanbHbiH xocthht) - cepBepu, xoropue 
pacnonoyxeHbi 

pnflOM b CTOuxe, nudo xnneHTOB 3 toh xxe crpanbi, rne 
pacnonoxxen cepBep; 

- ocKopdneHne b ntodou ipopMe corpynHHKOB 
cepBHca. 

4.4. l/ICFlOJlHI/ITEJlb He OTBenaer 3a co^epx<aHMe 
HH(popMau,HH, pa3MemaeM0M 3AKA3HI4K0M. 

4.5. l/ICFlOJlHI/ITEJlb He 6y^eT necrn OTBercTBeHHOCTM 3a 
nto6bie 3arpaTbi i/ini/i ymep6, nptiMO i/ini/i KOCseHHO 

B03Hi/iKLui/ie b pe3yfibT3Te i/icnonb30BaHi/iH ycnyri/i bb6 
xocTHHra. 

4. 6 . MoneyBack 3a Bbifle/ieHHbin cepBep B03M0weH ro/ibKO 
b tom c/iynae, ecni/i HeflocrynHOCTb nanHoro cepBepa 

npoi/icxofli/ir no Bi/iHe 1/ICflOJlHI/ITEJl^, BBi/ifly toto, hto 
l/ICFlOJlHI/ITEJlb onnaniAsaeM no/iHyto ctohmoctb cepBepa 

b JHara-UeHTp. Taxx<e B03M0?KHa 3aMeHa cepBepa. 


4.7. 



Pa3MemeHue cauroB 3A KA 3 HI/IK A, pexnaMupyeMbix 
SPAMom Ha cep Be pax 1/ICnOJlHI/ITEJlfl (xax 

BHprayjibHoro xocrHHra, rax h dedicated) 
on/iaHHBaercB ornenbHO h 3 pacnera odbeMa nuceM. 

Ilpn 

odbeMax or 5 m/ih no 10 mjih =1000 USD - 1500 USD b 
M ecnu, 3 a cep Be p b Kurae huh rourKoure, /in do 150 
USD 

Henenn h/ih 500 USD b Mecnu, 3a BupryanbHbiH 
xocthht, donee 10-20 mhh. = 200 USD nenenn nudo 
2000 $ 3a 
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BbineneHHbiu cepBep. 

4.8. l/ICFIOJlHI/ITEJlb o6x3yeTCH ne/iaTb e/KennesHbie 
pe3epBHbie Koni/ii/i aKKayHra 3AKA3H14KA Ha ctopohhhh 

cepBep (ro/ibKO Bi/ipryanbHbiH xocthht). 


4.9. 

1/ICnOJlHI/ITEJlb o6n3yercn peu/arb caMOcromenbuo 
Bee yxanodbi (a6y3bi/abuse). He npuBnexan k 

3 TOMy 3AKA3HI/IKA n 6 e 3 BMeuiarenbCTBa b nannbie 
3AKA3HMKA. 1/ICnOJlHI/ITEJlb He peu/aer x<ano 6 bi 

(a6y3bi/abuse) or nonuunu, xpynHbix 
npaBi/nenbCTBeHHbix opraHH 3 au.Hu h VerSign. 


4.10. 



1/lCnOJlHl/ITEJlb He flaer Hi/iKaKi/ix rapaHTnn, hto ROMen 
3AKA3HI/IKA He 6y^er 3a6/ioxnpoBaH no 

nto6biM npi/iHi/iHdM, a oco6eHHO raxi/iM xax mo6on bha 
SPAM a, fraud, phishing n r.n. 

5. KOHOI/IAEHUI/IAflbHAfl \AHQOPMAU,lAfl 

5.1. CropoHbi o6s3yK)TCs 6 e 3 o6oto^Horo cornaci/w He 
nepefxasaTb rperbi/iM ni/ipaM n 1/160 ncno/ib 30 Barb i/iHbiM 

cnoco6oM, He npeflycMorpeHHbiM ycnoBi/iBMi/i floroBopa, 
0praHi/i3au,i/i0HH0-TexH0/i0rnHecKyK), KOMMepnecxyto, 

cpi/iHaHCOByto n i/iHyio i/iHpopMapi/iK), cocTaanruoiixyio 
cexper fl/in mo6on M3 cropoH (fla/iee - 
"KOHCpMfleHUMa/ibHan 

i/iHCpopMaui/in") npi/i ycnoBi/ 11 /i, hto: 

- raxan i/iHpopMam/in i/iMeer ^et/iCTBi/ire/ibHyio i/ini/i 
noreHuna/ibHyio xoMMepnecxyio ueHHOCTb b ci/iny ee 

Hei/i3BecTH0cri/i TperbHM ni/ipaM; 

- k raxon n h cpop m a 141/1 n Her CBo6o^Horo flocryna Ha 

33X0HH0M OCHOBaHI/ll/i; 

- o6/ia4jare/ib raxon MHpopMaunn npi/iHi/iMaer 
Ha^/ie/xamne Mepbi x o6ecneneHnK) ee 
XOHpMfleHUMa/IbHOCTH. 

5.2. CropoHbi o6s3yiOTCB, 6e3 o6oioflHoro cornaci/in, He 
nepeflaBarb rperbi/iM ni/ipaM CBe^eHns o co^ep/xaHnn 


n ycnoBi/inx JJoroBopa. 



1/ICnOJlHI/ITEJlb o6n3yeTcn npeflOTBpamarb 3 arwcb 
noroB Ha cepBepax Bi/ipryanbHoro xocruHra h 

MapuipyTH3HpyK>meM odopyp,OBaHuu. 

5.4. By fibre BHi/iMare/ibHbi, corpyfiHi/iKi/i 1/ICflOJlHI/ITEJlS He 
3anpai±ii/iBaK)T naponi/i or aKKayHTOB Bi/ipryanbHoro 

xocTHHra i/i Bbifle/ieHHbix cepBepoB. l/ICK/noneHneM 
BB/ifieTCfl ci/iryapi/iH, xorfia 3AKA3HI4K npoci/iTb 
npoi/i3BecTi/i 

KaKHe-nn6o pa6orbi Ha ero Bbifie/ieHHOM CepBepe. 
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Automatically translated Russian Business Network 
(RBN) Contractual Agreement/Contract: 

1. SUBJECT OF CONTRACT 
1 . 1 . 

Customer Requests, but ARTIST is committed to the 
placement and / or registration CUSTOMER virtual 

server on the Internet. 

2. CONDITIONS OF IMPLEMENTATION OF THE TREATY 

2.1. At the conclusion of this treaty ARTIST produces initial 
setup and configuration of the virtual server and 

provides the necessary information for CUSTOMER virtual 
server administration. 


2.2. ARTIST provides access to the Internet to the virtual 
server, as well as efficiency of all available services 

CUSTOMER day seven days a week. 

3. PRICES AND ORDER OF PAYMENT 

3.1. Cost and arrangements of works under this contract at 
the time of its conclusion is determined in accor¬ 
dance with existing conditions, the staff distributed by E- 
Mail and / or ICQ. 

3.2. 

Payment is made ZAKAZCHIKOM as payment services 
support virtual web server ISPOLNITELEM. ARTIST 
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right to suspend the provision of services at a negative 
status of the account. 

3.3. All dedicated servers are provided in a position 
UNMANAGED ie ISPOLNITELYA administrators can, but not 

OBYAZANY tune rented server. For any server setup 
CUSTOMER or scripts on it - charge of $ 50 USD / for 1 hour 

administrator ISPOLNITELYA to your question, at least half 
an hour. The full server administration specialists 

ISPOLNITELYA worth USD 250 per month. Free done 
rebooting the server (if not automatic form for this). 

3.4. If no payment ZAKAZCFUKOM bill on the last day of the 
period, the data are removed CUSTOMER new of- 



fensive on days without reciprocating. In the case of virtual 
hosting account and removed all of your backups, in case 

the rental server (dedicated or vps) server is removed from 
service, formatted hard drives. 

4. RESPONSIBILITY OF PARTIES 

4.1. ARTIST no responsibility to ZAKAZCHIKOM or third 
parties for any delays, interruptions, damage or losses 

that occur because of: 

(a) defects in any electronic or mechanical equipment, not 
belonging ISPOLNITELYU; 

(b) problems in the transfer of data or connection that 
occurred through no fault ISPOLNITELYA; 

(c) due to force majeure circumstances, in the conventional 
sense, that is, nepredotvratimymi forces and emergency 

circumstances, not subject to reasonable control; 

(g) pressure from the authorities. 

4.2. At the dissolution of the Treaty on the initiative 
CUSTOMER, ZAKAZCHIKU unused portion of the advance 

is not refundable. 

4.3. ARTIST reserves the right to suspend or 
terminate CUSTOMER service contract in order 
without the un¬ 
conditional return of customer funds in the following 
cases: 



- Locating and zoofUii child pornography in any form; 


- attempted burglary, unauthorized entry to the 
server, in the accounts of other customers, trying to 
dam¬ 
age equipment or software; 

- attempted burglary governmental organizations in 
any form; 

- spam attempts of any kind from our servers hosting 
virtual except through SOCKS; 

- phishing attempts banks (stealing money); 

- posting on the arms trade and drug trafficking, or 
human organs, causing inter-ethnic and religious dis¬ 
cord, calling for war and violence; 

- unjustified computing power overload virtual server 
hosting (which is allowed to use no more than 5 % of 

CPU capacity, and no more than 128 MB of RAM 
server); 

- attempted burglary of servers (and dedicated 
virtual hosting) - servers, which are located next to 
the rack, 

a customer in the same country where the server; 

- insulting to any form of service personnel. 

4.4. ARTIST is not responsible for the content of the 
information posted ZAKAZCHIKOM. 
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4.5. ARTIST shall not be liable for any costs or damages 
arising directly or indirectly from the use of Web hosting 
services. 

4.6. MoneyBack for dedicated server is possible only in case 
the inaccessibility of the fault occurs on the server 

ISPOLNITELYA, because ARTIST pay for the full cost of a 
server in Data Center. Also possible replacement server. 


4.7. 

Placing sites CUSTOMER advertised on servers 
ISPOLNITELYA SPAM (as virtaulnogo hosting, and 
dedi¬ 
cated) is charged separately at the rate of the 
volume of letters. With volume of 5 million to 10 
million USD = 1000 

-1500 USD per month for the server in China or Cong 
Konge or 150 USD week, or 500 USD per month for a 
virtual 

hosting, a 10-20 million = 200 USD week, or $ 2000 
for a dedicated server. 

4.8. ARTIST undertakes to do daily backups CUSTOMER 
account for the third-party server (only virtual hosting). 

4.9. ARTIST undertakes to decide all complaints 
(abuzy / abuse), are not engaging in the CUSTOMER 
and 



without interference in the CUSTOMER data. ARTIST 
does not solve complaints (abuzy / abuse) from the 
police, 

government organizations and major VerSign. 

4.10. ARTIST gives no guarantees that the domain 
CUSTOMER not be blocked for any reason, but especially 

like any kind of SPAM, fraud, phishing, etc. 

5. CONFIDENTIAL INFORMATION 

5.1. The Parties undertake without the unanimous consent 
not to transfer to third parties or used in any other 

way other than prescribed conditions Treaty, organizational 
and technological, commercial, financial and other 

information, which is the secret to any of the parties 
(hereinafter - "confidential information"), provided that: 

- this information is actual or potential commercial value by 
virtue of its unknown third parties; 

- to such information no free access to the lawful; 

- holds such information shall take appropriate steps to 
ensure its confidentiality. 

5.2. The Parties undertake, without unanimous consent, not 
to transfer to third parties about the content and 

conditions of the Treaty. 

5.3. ARTIST undertakes to prevent logging on servers 
and virtual hosting routing equipment. 



5.4. 


Be careful, do not require employees ISPOLNITELYA 
passwords from virtual hosting accounts and dedi¬ 
cated servers. The exception is when CUSTOMER request to 
any work for his Vydelennom Server. 

Excluding the direct offering of managed servers for spam 
sending in the actual agreement/contract, and the fact 

that their abuse department is virtually non-existent, the 
contact explicitly prohibits related malicious/fraudulent 

activity. Naturally, that's not the case when AbdAllah (VN) 
used to advertise its bulletproof hosting service across 

cybercrime-friendly communities, "back in the day": 
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In 2013, despite the overall availability of RBN-like 
bulletproof hosting providers, cybercriminals continue 
experi¬ 
menting with abusing legitimate infrastructure in an 
attempt to mitigate the risk of having their activities 
exposed. 

Various cases throughout the last couple of years include: 

• [5]Cybercriminals use Twitter, Linkedln, Baidu, MSDN as 
command and control infrastructure 

• [6]RSA: Banking trojan uses social network as command 
and control server 


• [7]Trojan.Whitewell: What's your (bot) Facebook Status 
Today? 

• [8]Twitter-based Botnet Command Channel 

• [9]Google Groups Trojan 

• [10]Zeus crimeware using Amazon's EC2 as command and 
control server 

The "best" is yet to come. 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1 . 

https://www. a oo a I e.com/#bav=&a = site: ddanchev. blo g s oot. 
com + RBN 

2 . 

http://www.shadowserver.or a /wiki/uploads/lnformation/RBN- 

AS40989. pdf 

3. 

http://www.shadowserver.or a /wiki/uploads/lnformation/RBN_ 

Rizin a.pdf 

4. http://ddanchev.blo as pot.com/2QQ8/Ql/rbns-fake- 
account-suspended-notices.html 

5. 

http://www.zdnet.com/blo a /securit v/c vbercriminals-use- 
twitter-l inked in-ba id u-msdn-as-command-and-control- 


infrastructure/11210 
























6. http://www.zdnet.com/blo a /securitv/rsa-bankin a -tro i an- 
uses-social-network-as-command-and-control-server/6 
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7. http://www.svmantec.com/connect/blo a s/tro i anwhitewell- 
what-s-vour-bot-facebook-status-toda v 

8. http://www.arbornetworks.com/asert/2Q09/Q8/twitter- 
based-botnet-command-channel/ 

9. http://www.svmantec.com/connect/blo as/aooale-a roups- 
troian 

10. http://www.zdnet.com/blo a /securitv/zeus-crimeware- 
usin a -amazons-ec2-as-command-and-control-server/511Q 

11. http://ddanchev.blo as pot.com/ 

12. http://twitter.com/danchodanchev 
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Dissecting a Sample Russian Business Network (RBN) 
Contract/Agreement Through the Prism of RBN's 

AbdAllah Franchise (2013-08-10 21:10) 

[l]The Russian Business Network (RBN), is perhaps the 
most speculated, buzzed about, cybercrime enterprise in 

the World, a poster child for fraudulent activity 'streaming' 
from 'Mother Russia', in the eyes of respected/novice 

security/cybercrime researchers across the globe. 




























However, what a huge percentage of the researchers who're 
just catching up with its '[2]fraudulent perfor¬ 
mance metrics' over the years, don't realize, is how a 
newly emerged bulletproof hosting provider, managed to 
end 

up, as the World's most prolific source of 
fraudulent/malicious activity. 

Hint: Basic business concepts like franchising, signalling the 
early stages of the modernization/professionalization of 

cybercrime, where being the benchmark has had a direct 
inspirational impact in the 'hearts and minds' of current 

and potential cybercriminals, then and now. 

Case in point is [3]Abdallah Internet Hizmetleri also 
known as AbdAllah (VN), an ex-RBN darling relying on 

the franchise business concept. 

In this post, I'll discuss a sample contract/contractual 
agreement that every one of its customers had to sign 

before doing business with them, which in the broader 
context leads to a situation, where while the franchise is 

publicly advertising the bulletproof hosting services for 
trojans, exploits, warez, adult content, drop projects, botnets 

563 

and spam, it's explicitly forbidding such activities - with 
some visible exceptions - in its contractual agreement. 



What does this mean? It means that the Russian Business 
Network, the benchmark for the majority of ex/currently 

active bulletproof hosting providers, has been (legally) 
forwarding the responsibility for the fraudulent activity 

to its customers, in between reserving the right to act and 
deactivate their accounts if they ever violate the 

agreement/contract. The first thing that comes to my mind 
when it comes to the RBN 'reaction' in a socially 

oriented manner, are the infamous [4]RBN Fake Account 
Suspended Notices, and that's just for starters, indicating 
a 

deteriorated understanding of malicious/fraudulent activity, 
with high profit margins in mind. 

Let's go through the contract/agreement that every 
customer used to sign, before doing cybercrime-friendly 

business with them, both in original Russian, and 
automatically translated in English. 

Sample AbdAllah (VN) Contractual Bulletproof 
Hosting Agreement/Contract in Russian: 

1. nPEAMETflOrOBOPA 

1.1. 3aKa3HMK nopynaer, a l/ICFIO/IHI/ITEflb 6eper na ce6n 
o6fi3aTenbCTBa no pa3MemeHi/iK) i/i/i/ini/i peri/iCTpau,i/ii/i 

Bnprya/ibHoro cepsepa 3AKA3HMKA b cern lAHTepner. 

2. ycnoBiAP BbinojiHEHm norosoPA 


2 . 1 . 



no 3dK/uoHeHi/iK) Hacronmero floroBopa 1/ICnOJlHI/ITEflb 
npoi/i3Bopi/iT nepBOHana/ibHyK) ycraHOBKy 

i/i HacrpoMKy Bi/ipryanbHoro cepBepa 1/1 o6ecneHi/iBaer 
3AKA3HI/1KA Heo6xopi/iMOi/i i/n-nfiopMaui/iei/i pnn 

a,n,Mi/iHi/iCTpi/ipoBaHi/ifi Bi/iprya/ibHoro cepBepa. 

2 . 2 . 

1/ICnOJlHI/ITEJlb o6ecneHMBaeT pocryn b cent lAHTepner k 
Bi/iprya/ibHOMy cepBepy, a rax we 

pa6oTOcnoco6HOCTb Bcex pocrynHbix cepai/icos 
3AKA3HI/1KA Kpyr/iocyroHHO b reneHi/ie ceMi/i pnei/i b 
nepemo. 

3. LjEHbl 1A HOPAMOK On/lATbl 

3.1. 

Croi/iMOCTb i/i nopnpoK onnarbi pa6or no HacrompeMy 
poroBopy Ha MOMenr ero 3aKmoHeHi/in 

onpepennercn b cooTBercrBi/ii/i c pei/icrsyiopi/iMi/i 
ycnoBi/iBMi/i, pacnpocrpaHfieMbiMi/i corpypHi/iKaMi/i no E- 

Mail i/i/i/ini/i ICQ. 

3.2. 

Onnara bhocmtcb 3AKA3HI/IK0M b ever onnarbi yenyrn 
noppep/KKH BiApryanbHoro Be6-cepBepa 

1/ICnOflHI/ITE/lEM. 1/ICnOJlHI/ITEJlb BnpaBe npi/iocraHOBi/irb 
npepocraBnem/ie yenyr npi/i orpnuarenbHOM 


coctobhi/ii/i cnera. 



3.3. 


Bee Bbip,eneHHbie cepBepbi npef^ocraenniOTcn b coctobhi/ii/i 
UNMANAGED, T.e aflMMHMCTparopbi 

1/ICnOflHI/ITE/lfl Moryr, ho He 0ES3AHbl HacrpaiABarb 
apeHflyeMbiH cepBep. 3a nio6yio Hacrponxy cepBepa 

3AKA3HI/1KA, n 1/160 cxpi/inroB na h6m - B3biMaercn nnara b 
pa3Mepe 50 US D/3 a 1 h a c pa6orbi a^MHHHCTparopa 

l/ICFlOJlHI/ITEJlfl no BameMy sonpocy, Mi/iHi/iMyM non naca. 
llonHoe aflMi/iHi/icrpi/ipoBaHi/ie cepBepa cneui/iani/icraMi/i 

1/ICnOJlHI/ITEJlfl ctoi/it 250 USD b wiecnp. 

BecnnaTHO ocyuxecTBnnercn nepe3arpy3Ka cepBep (ecni/i 
Her 

aBTOMamnecKOH cpopMbi flnn aroro). 

3.4. B cnynae He onnarbi yenyr 3AKA3HI4K0M b nocne^HMM 
fleHb 6i/inni/iHroBoro nepi/ioua, flaHHbie 3AKA3HI/IKA 

y/janntOTcn no HacrynneHi/iio hobbix cyrox 6e3 B03spaTH0. 

B cnynae Bi/ipryanbHoro xocri/iHra y^anneren 

dKKayHT i/i Bee 6aKanbi fxanHoro aKxayHra, b cnynae 
apeHflbi cepBepa (dedicated nnn vps) cepBep CHi/Maercn c 

o6cny/Ki/iBaHi/in, cpopMa ri/ipyio ren >, Kecrxi/ie ai/icki/i. 

4. OTBETCTBEHHOCTb CTOPOH 
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4.1. 



1/ICnOJlHI/ITEflb He Hecer OTBercTBeHHOCTi/i nepep, 
3AKA3HI/IK0M m/im Tperbi/iMi/i CToponawiM 3a 

nto6bte 3aflep>KKi/i, npepbiaaniAB, yipep6 i/ini/i norepi/i, 
npoi/icxopmui/ie i/i3-3a: 

(a) flecpeKTOB b /iio6om aneKrpoHHOM i/ini/i MexaHnnecxoM 
o6opyAOBaHMM, He npiAHapne/xaipeM l/ICFIO/IHI/ITEflK); 

(6) npofineM npi/i nepepane paHHbix i/ini/i coepi/iHeHi/n/i, 
npoiA30inepmiAX He no Bi/iHe l/ICFIOflHI/ITEflfl; 

(b) scnepcTBi/ie o6cTOXTe/ibCTB Henpeoponi/iMoi/i ci/i/ibi b 
o6uj,enpi/iHHTOM CMbic/ie, T.e. Hpe3Bbmai7iHbiMH ci/inaMi/i 

h HenpeflOTBpari/iMbiMi/i o6cTOHTe/ibCTBaMi/i, He 
nopne/xaipi/iMi/i pa3yMH0My koht porno; 

(r) paaneHi/ie B/iacren. 

4.2. npi/i pacTopx<eHHH JHoroBopa no i/iHi/ipi/iari/iBe 
3AKA3HI/IKA, Hencnonb30BaHHaB nacrb aBanca 3AKA3HI4KY 
He 

B03BpamaeTCB. 


4.3. 

1/ICnOJlHI/ITEJlb ocraBJineT 3a codon npaao 
npnocTaHOBHTb odc/iy/KUBaHne 3AKA3 HI/IK A nnn 

pacroprHyTb poroBop b 6 e 3 ycnoBHOM nopnpKe 6 e 3 
B 03 BpameHHft cpeflCTB 33 K 33 HMKy b c/iepytoiunx 
c/iynanx: 


- pa 3 MemeHne percKon nopHorpa<pnn n 300 <pi ijihh b 
jik) 6 om Bnpe; 



- nonbiTKH B3/iOMa, HecaHKfiHOHnpoBaHHoro 
npoHMKHOBeHHfi Ha cepBep, b aKKaymbi fipyrnx 
KJIHeHTOB, 

nonbiTKH nopHH odopyfiOBaHHn huh nporpaMMHoro 
odecneneHnn; 

- nonbiTKH B3/iOMa npaBmenbCTBeHHbix opraHH3au,Hri 
b /uo6om BHfle; 

- nonbiTKH cnaMa / uo6oro pofia c naujHx cepBepos 
BHpTya/ibHoro xocTHHra, KpoMe kbk nepe3 cokcu; 

- nonbiTKH (pHLUHHra daHKOB (xpaxta fie Her); 

- pa3MemeHne HHtpopMafi hh no roprosne opymneM h 

HapKOTHKaMH, TOpTOBJIH JUOflbMH HJ1H OpraHaMH 

ji toneti, Bbi3biBaiOLfiHe MexcHafiHOHanbHyto h 
pe/IHTH03Hyi0 p03Hb, npn3biBaiomyio K BOH He H 
Ha chjihkj; 

- HeonpaBfiaHHaa neperpy3Ka b binHC/ime/ibHbix 
MOifiHOCTeri cepsepa BHpTya/ibHoro xocTHHra 
(fi onycKaeTcn 

Hcnonb30BaTb He 60 /iee 5 % moluhocth npou,eccopa h 
ne 60 nee 128M6 onepaTHBHori naMBTH cep Be pa); 

- nonbiTKH B3noMa c cepBepoB (dedicated h 
B npTyanbHbiri xocthht) - cepBepu, KOTopue 
pacnonoxtenbi 

pnfiOM b CToriKe, nn6o KnneHTOB 3Tori x<e crpaHbi, rfie 
pacnonoxteH cepBep; 



- ocKopdneHne b juo 6 oh (popMe corpynHHKOB 
cepBuca. 

4.4. l/ICFIOJlHI/ITEJlb He OTBenaer 3a co^epx<aHMe 
HH(popMau,HH, pa3MemaeM0M 3AKA3HI4K0M. 

4.5. l/ICFIOJlHI/ITEJlb He 6yner necrn OTBeTCTBennocTi/i 3a 
nto6bie 3arpaTbi hjih ymep6, nptiMO hjih KOCseHHO 

B03Hi/iKLui/ie b pe3y/ibTare Hcnojib30BaHHB ycjiyrn Ba6 
xocTHHra. 

4.6. MoneyBack 3a BbiflejieHHbin cepBep B03M0weH TOJibKO 
b tom c/iynae, ecni/i HenocrynHOCTb naHHoro cepsepa 

npoi/icxofli/iT no Bi/iHe 1/ICFlOJlHI/ITEJlfl, BBi/i^y toto, hto 
l/ICFIOJlHI/ITEJlb on/iaHHBaeM no/iHyto ctohmoctb cepsepa 

b JHara-UeHTp. Taioxe B03Mox<Ha 3aMeHa cepBepa. 


4.7. 

Pa3MemeHne canroB 3A KA 3 HI/IK A, pex/iaMupyeMbix 
SPAMom Ha cepBepax 1/ICnOJlHI/ITEJlfl (xax 

Bupray/ibHoro xocrHHra, rax h dedicated) 
on/iaHHBaercB orne/ibHO h 3 pacnera odbeMa nnceM. 

Ilpn 

odbeMax or 5mjih no 10m jih =1000 USD - 1500 USD b 
M ecnp, 3a cep Be p b Knrae hjih roarKonre, jih6o 150 
USD 

Henenn hjih 500 USD b Mecnp, 3a BHprya/ibHbiH 
xocthht, 6o/iee 10-20 mjih. = 200 USD nenejin jih6o 
2000 $ 3a 
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Bbifle/ieHHbiii cepBep. 

4.8. l/ICFIOJlHI/ITEJlb o6fl3yeTcn fle/iaTb eweflHeBHbie 
pe3epBHbie Koni/n/i aKKayHra 3AKA3H14KA Ha ctopohhhh 

cepBep (TO/ibKO Bi/ipryanbHbiH xocthht). 


4.9. 

MCnOJIHMTEJIb o6n3yercn peiuarb caMOCTonrenbHO 
Bee >Kano6bi (a6y3bi/abuse). He npuB/ieKaa k 

BTOMy 3AKA3HI/IKA h 6e3 BMemare/ibCTBa b nannhie 
3AKA3HI4KA. MCnOJlHMTEJlb He peiuaer >Kano6bi 

(a6y3bi/abuse) or no/inijnn, Kpynnbix 
npaBHTenbCTBeHHbix opraHH3au.Hu h VerSign. 

4.10. 

l/ICFIOJlHI/ITEJlb He fxaer hi/iioki/ix rapaHruu, hto flOMeH 
3AKA3HI/IKA He 6y^er 3a6noKupoBaH no 

nto6biM npi/iHHHaM, a oco6eHHO raxi/iM xax mo6ou bi/ia 
5 PAM a, fraud, phishing u r.n. 

5. KOHOI/lflEHUI/IAflbHAP IAHQOPMAU.IAP 

5.1. CropoHbi o6s3ytores 6e3 o6oK)flHoro cornaci/is He 
nepefxasaTb rperbUM ni/iuaM nu6o Mcno/ib30Barb i/ihbim 

cnoco6oM, He npeflycMorpeHHbiM ycnoBi/isMi/i floroBopa, 
0praHH3auH0HH0-TexH0/i0ruHecKyK), KOMMepsecxyto, 


CpHHdHCOBytO I/I HHyiO HHdpOpMdUHIO, COCTaB/IStOLpyiO 
cexper fl/ix / ihd6oh H3 cropoH (fla/iee - 



"KOHcfn/ifleHui/ia/ibHan 

i/i h po pMa 141/1 b") npi/i yc/iOBi/ii/i, hto: 

- TaKax i/iHpopMau,i/iB i/iMeer flet/iCTBi/ire/ibHyio i/ini/i 
noreHui/ia/ibHyK) KOMMepnecxyio ueHHOCTb b ci/iny ee 

Hei/i3BecTH0CTi/i rperbi/iM ni/iuaM; 

- k TdKOM i/i h cpop m au,i/ii/i Her CBo 6 o^Horo flocryna Ha 

3dK0HH0M OCHOBaHI/ll/i; 

- o6/ia^are/ib Taxon i/iHpopMau,i/n/i npi/iHi/iMaer 
Hafl/ie/Kami/ie Mepbi k o6ecneneHnio ee 
KOHpl/lfleHUI/ia/lbHOCTI/l. 

5 . 2 . CropoHbi o 6 /i 3 yiOTCfl, 6 e 3 o6ohd^hoto cornaci/iB, He 
nepefxaaaTb rperbi/iM ni/iuaM CBe^eHHB o co^ep/xaHi/ii/i 

i/i ycnoBi/iBx JJoroBopa. 


5.3. 

1/ICnOJlHI/ITEJlb o6n3yercn npeflOTBpamarb 3anncb 
noroB Ha cepBepax Buprya/ibHoro xocruHra h 

MapLupyT§i3npytou4eM o6opyp,OBaHHH. 

5.4. By^bre BHi/iMare/ibHbi, corpyflHi/iKi/i l/ICFlOJlHI/ITEJlfl He 
3anpauiHBaiOT naponi/i or aKKayHTOB Bi/iprya/ibHoro 

xocTHHra i/i Bbifle/ieHHbix cepBepoB. l/ICK/noneHi/ieM 
BB/iBercB ci/iryaui/w, xor^a 3AKA3HI/IK npoci/iTb 
npoi/i3secTi/i 

KaKi/ie-ni/i6o pa6orbi Ha ero Bbifle/ieHHOM CepBepe. 


566 



Automatically translated Russian Business Network 
(RBN) Contractual Agreement/Contract: 

1. SUBJECT OF CONTRACT 

1 . 1 . 

Customer Requests, but ARTIST is committed to the 
placement and / or registration CUSTOMER virtual 

server on the Internet. 

2. CONDITIONS OF IMPLEMENTATION OF THE TREATY 

2.1. At the conclusion of this treaty ARTIST produces initial 
setup and configuration of the virtual server and 

provides the necessary information for CUSTOMER virtual 
server administration. 

2.2. ARTIST provides access to the Internet to the virtual 
server, as well as efficiency of all available services 

CUSTOMER day seven days a week. 

3. PRICES AND ORDER OF PAYMENT 

3.1. Cost and arrangements of works under this contract at 
the time of its conclusion is determined in accor¬ 
dance with existing conditions, the staff distributed by E- 
Mail and / or ICQ. 


Payment is made ZAKAZCHIKOM as payment services 
support virtual web server ISPOLNITELEM. ARTIST 
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right to suspend the provision of services at a negative 
status of the account. 

3.3. AH dedicated servers are provided in a position 
UNMANAGED ie ISPOLNITELYA administrators can, but not 

OBYAZANY tune rented server. For any server setup 
CUSTOMER or scripts on it - charge of $ 50 USD / for 1 hour 

administrator ISPOLNITELYA to your question, at least half 
an hour. The full server administration specialists 

ISPOLNITELYA worth USD 250 per month. Free done 
rebooting the server (if not automatic form for this). 

3.4. If no payment ZAKAZCFHKOM bill on the last day of the 
period, the data are removed CUSTOMER new of¬ 
fensive on days without reciprocating. In the case of virtual 
hosting account and removed all of your backups, in case 

the rental server (dedicated or vps) server is removed from 
service, formatted hard drives. 

4. RESPONSIBILITY OF PARTIES 

4.1. ARTIST no responsibility to ZAKAZCFHKOM or third 
parties for any delays, interruptions, damage or losses 

that occur because of: 

(a) defects in any electronic or mechanical equipment, not 
belonging ISPOLNITELYU; 



(b) problems in the transfer of data or connection that 
occurred through no fault ISPOLNITELYA; 

(c) due to force majeure circumstances, in the conventional 
sense, that is, nepredotvratimymi forces and emergency 

circumstances, not subject to reasonable control; 

(g) pressure from the authorities. 

4.2. At the dissolution of the Treaty on the initiative 
CUSTOMER, ZAKAZCHIKU unused portion of the advance 

is not refundable. 

4.3. ARTIST reserves the right to suspend or 
terminate CUSTOMER service contract in order 
without the un¬ 
conditional return of customer funds in the foilowing 
cases: 

- Locating and zoofilii child pornography in any form; 

- attempted burglary, unauthorized entry to the 
server, in the accounts of other customers, trying to 
dam¬ 
age equipment or software; 

- attempted burglary governmental organizations in 
any form; 

- spam attempts of any kind from our servers hosting 
virtual except through SOCKS; 

- phishing attempts banks (stealing money); 



- posting on the arms trade and drug trafficking, or 
human organs, causing inter-ethnic and religious dis¬ 
cord, calling for war and violence; 

- unjustified computing power overload virtual server 
hosting (which is allowed to use no more than 5 % of 

CPU capacity, and no more than 128 MB of RAM 
server); 

- attempted burglary of servers (and dedicated 
virtual hosting) - servers, which are located next to 
the rack, 

a customer in the same country where the server; 

- insulting to any form of service personnel. 

4.4. ARTIST is not responsible for the content of the 
information posted ZAKAZCHIKOM. 
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4.5. ARTIST shall not be liable for any costs or damages 
arising directly or indirectly from the use of Web hosting 
services. 

4.6. MoneyBack for dedicated server is possible only in case 
the inaccessibility of the fault occurs on the server 

ISPOLNITELYA, because ARTIST pay for the full cost of a 
server in Data Center. Also possible replacement server. 


4.7. 

Placing sites CUSTOMER advertised on servers 
ISPOLNITELYA SPAM (as virtaulnogo hosting, and 



dedi¬ 


cated) is charged separately at the rate of the 
volume of letters. With volume of 5 million to 10 
million USD = 1000 

-1500 USD per month for the server in China or Gong 
Konge or 150 USD week, or 500 USD per month for a 
virtual 

hosting, a 10-20 million = 200 USD week, or $ 2000 
for a dedicated server. 

4.8. ARTIST undertakes to do daily backups CUSTOMER 
account for the third-party server (only virtual hosting). 

4.9. ARTIST undertakes to decide all complaints 
(abuzy / abuse), are not engaging in the CUSTOMER 
and 

without interference in the CUSTOMER data. ARTIST 
does not solve complaints (abuzy / abuse) from the 
police, 

government organizations and major VerSign. 

4.10. ARTIST gives no guarantees that the domain 
CUSTOMER not be blocked for any reason, but especially 

like any kind of SPAM, fraud, phishing, etc. 

5. CONFIDENTIAL INFORMATION 

5.1. The Parties undertake without the unanimous consent 
not to transfer to third parties or used in any other 

way other than prescribed conditions Treaty, organizational 
and technological, commercial, financial and other 



information, which is the secret to any of the parties 
(hereinafter - "confidential information"), provided that: 

- this information is actual or potential commercial value by 
virtue of its unknown third parties; 

- to such information no free access to the lawful; 

- holds such information shall take appropriate steps to 
ensure its confidentiality 

5.2. The Parties undertake, without unanimous consent, not 
to transfer to third parties about the content and 

conditions of the Treaty. 

5.3. ARTIST undertakes to prevent logging on servers 
and virtual hosting routing equipment. 

5.4. 

Be careful, do not require employees ISPOLNITELYA 
passwords from virtual hosting accounts and dedi¬ 
cated servers. The exception is when CUSTOMER request to 
any work for his Vydelennom Server. 

Excluding the direct offering of managed servers for spam 
sending in the actual agreement/contract, and the fact 

that their abuse department is virtually non-existent, the 
contact explicitly prohibits related malicious/fraudulent 

activity. Naturally, that's not the case when AbdAllah (VN) 
used to advertise its bulletproof hosting service across 


cybercrime-friendly communities, "back in the day": 
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In 2013, despite the overall availability of RBN-like 
bulletproof hosting providers, cybercriminals continue 
experi¬ 
menting with abusing legitimate infrastructure in an 
attempt to mitigate the risk of having their activities 
exposed. 

Various cases throughout the last couple of years include: 

• [5]Cybercriminals use Twitter, Linkedln, Baidu, MSDN as 
command and control infrastructure 

• [6]RSA: Banking trojan uses social network as command 
and control server 

• [7]Trojan.Whitewell: What's your (bot) Facebook Status 
Today? 

• [8]Twitter-based Botnet Command Channel 

• [9]Google Groups Trojan 

• [10]Zeus crimeware using Amazon's EC2 as command and 
control server 

The "best" is yet to come. 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1 . 

https://www. a oo a I e.com/#bav=&a = site: ddanchev. blo g s pot. 
com + RBN 







2 . 

http://www.shadowserver.or a /wiki/uDloads/lnformation/RBN- 

AS40989. pdf 

3. 

http://www.shadowserver.or a /wiki/uploads/lnformation/RBN 

Rizin g.pdf 

4. http://ddanchev.blo gs pot.com/2QQ8/01/rbns-fake- 
account-suspended-notices.html 

5. 

http://www.zdnet.com/blo g /securit v/c vbercriminals-use- 
twitter-l inked in-ba id u-msdn-as-command-and-control- 


infrastructure/11210 

6. http://www.zdnet.com/blo g /securitv/rsa-bankin g -tro i an- 
uses-social-network-as-command-and-control-server/6 
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7. http://www.svmantec.com/connect/blo Q s/tro i anwhitewell- 
what-s-vour-bot-facebook-status-toda v 

8. http://www.arbornetworks.com/asert/2QQ9/Q8/twitter- 
based-botnet-command-channel/ 

9. http://www.svmantec.com/connect/blo as/google-a roups- 
troian 

10. http://www.zdnet.com/blo a /securitv/zeus-crimeware- 
usin a -amazons-ec2-as-command-and-control-server/511Q 

11. http://ddanchev.blo as pot.com/ 

12. http://twitter.com/danchodanchev 











































Spamvertised 'Confirmed Facebook Friend Request' 
Themed Emails Serve Client-Side Exploits 

(2013-08-15 14:03) 

A currently circulating malicious spam campaign, entices 
users into thinking that they've received a legitimate ' 
Friend 

Confirmation Request on Facebook. In reality thought, the 
campaign attempts to exploit client-side vulnerabilities, 

[l]CVE-2010-0188 in particular. 

Client-side exploits serving URL: 

hxxp://facebook. com. n. find- 

friends. iindoiiveryct. net:80/ne ws/facebo 

ok-onetime.php ?dpheelxa=11:30:11:1 g:l j 

&pkvby=h &rzuhhh=lh:33:lo:2v:32:lo:2v:lo:lj:lm 
&ycxlc vr= If: 1 d: If: 1 d: If: Id: If 

Detection rate for the malicious PDF: [2]MD5: 
39326c9a2572078c379eb6494dc326ab - detected by 3 
out of 

45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; 
Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj 

Domain name reconnaissance: 


facebook.com.n.find-friends.lindoliveryct.net - 

66.230.163.86; 95.111.32.249; 188.134.26.172 - Email: 
zsuper- 

cats@yahoo.com 

Responding to the same IPs (66.230.163.86; 
95.111.32.249; 188.134.26.172) are also the followig 
malicious 

domains: 

actiry.com - Email: stritton@actiry.com 
askfox.net - Emai: bovy@askfox.net 
bnamecorni. com 

briltox.com - Email: iyosha@briltox.com 

condalinneuwu37.net 
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condrskaja umaksa66. net 
cyberflorists.su - Email: mipartid@gmx.com 
evishop.net - Email: hardwicke@evishop.net 
exnihuja treetrichmand7 7. net 
gondorskiedelaahuetebanj88.net 
gotoraininthecharefare88. net 

liliputttt9999.info - Email: dolgopoliy.alexei@yandex.ru 



Iucams.net - Email: renault@lucams.net 
micnetworklOO.com - Email: 369258wq@sina.com 
musicstudioseattie.net- Email: rexonal948@live.com 
nvufvwieg.com - Email: 369258wq@sina.com 
partyspeciaity.su - Email: mipartid@gmx.com 
pinterest. com. onsayoga. net 



quill, com. account.settings, musicstudioseattle. net 
seoworkblog.net - Email: mendhamnewjersey@linuxmail.org 
seoworkblog.net 

tigerdirect. com.secure, orderlogin. asp.palmer-ford, net 
tor-connect-secure.com - Email: 369258wq@sina.com 
vip-proxy-to-tor. com 

Name servers used in these campaigns: 

Name Server: NS1.TEMPLATESWELL.NET- 94.249.254.48 - 
Email: freejob62@rocketmai\. com 

Name Server: NSl.THEGALAXYATWORK.COM - 94.249.254.48 

- Email: samyideaa@yahoo.com 

Name Server: NS1.M0BILE-UNL0CKED.NET - 91.227.220.104 

- Email: usalifecoach47@mail.com 

Name Server: NS2.M0BILE-UNL0CKED.NET - 32.100.2.98 

Name Server: NS1.KNEESLAPPERZ.NET 

Name Server: NS1.MEDUSASCREAM.NET- 37.247.108.250 - 
Email: m _mybad@yahoo.com 

Name Server: NS1.CREDIT-FIND.NET-194.209.82.222 - 
Email: mendhamnewjersey@linuxmail.org 

Name Server: NS1.G0NULPALACE.NET -194.209.82.222 - 
Email: mitinsider@live.com 

Name Server: NS1.NAMASTELEARNING.NET - 93.178.205.234 

- Email: minelapse2001@outlook.com 



Name Server: NS2.NAMASTELEARNING.NET - 205 . 28 . 29.52 


The following malicious MD5s are also known to have 
phoned back to the same IPs/were downloaded from 

the same IPs in the past: 

MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 
MD5: f507b822651d2fbc82a98e4cc7f735a2 
MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 
MD5: f88d6a7381 cObbaclbl558533cfdfd62 
MD5: 11be39e64c9926ea39e6b2650624dab4 
MD5: ea893fb04cc536ff692cc3177db7e66f 
MD5: c8f8b4c0fced61 f8a4d3b28542 79b4ef 
MD5: 93bae01631dl0530a7bac7367458abea 
MD5: 199b8cf0ffd607787907b68c9ebecc8b 
MD5: 6blbef6fb45f5c2d8b46a6eb6a2d5834 
MD5: 9eb6ed284284452f7ale4e3877dded2d 
MD5: efacflc2c6b33f658c3df6a3edl 70e2d 
MD5: 7c70d5051826c9c93270b8c7fc9d276f 
MD5: dcb378d6033eed2e01 ff9ab8936050a0 
MD5: 8556f98907fd74be9a9clb3bf602f869 
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This post has been reproduced from [3]Dancho 
Danchev's blog. Follow him [4]on Twitter. 

1. https://cve.mitre.or g/ca i-bin/cvename.c a i?name=CVE- 
2010-0188 

2 . 

https://www.virustotal.com/en/file/667fc839167456a70f22cf 

5c6ef8f0291d4el399374219469f56472251ec58af/anal vs 

is/1376565463/ 

3. http://ddanchev.blo as pot.com/ 

4. http://twitter.com/danchodanchev 
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Spamvertised 'Confirmed Facebook Friend Request' 
Themed Emails Serve Client-Side Exploits 

(2013-08-15 14:03) 

A currently circulating malicious spam campaign, entices 
users into thinking that they've received a legitimate ' Friend 

Confirmation Request on Facebook. In reality thought, the 
campaign attempts to exploit client-side vulnerabilities, 

[1]CVE-2010-0188 in particular. 

Client-side exploits serving URL: 

hxxp://facebook. com. n. find- 

friends. lindoli veryct. net:80/news/facebo 

ok-onetime.php ?dpheelxa=11:30:11:1 g:lj 












&pkvby=h &rzuhhh=lh:33:lo:2v:32:lo:2v:lo:lj:lm 
&ycxlc vr= If: 1 d: If: 1 d: If: Id: If 

Detection rate for the malicious PDF: [2]MD5: 
39326c9a2572078c379eb6494dc326ab - detected by 3 
out of 

45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; 
Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj 

Domain name reconnaissance: 

facebook.com.n.find-friends.lindoliveryct.net - 

66.230.163.86; 95.111.32.249; 188.134.26.172 - Email: 
zsuper- 

cats@yahoo.com 

Responding to the same IPs (66.230.163.86; 
95.111.32.249; 188.134.26.172) are also the followig 
malicious 

domains: 

actiry.com - Email: stritton@actiry.com 
askfox.net - Emai: bovy@askfox.net 
bnamecorni. com 

briltox.com - Email: lyosha@briltox.com 

condalinneuwu37.net 
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condrskajaumaksa66. net 



cyberfJorists.su - Email: mipartid@gmx.com 
evishop.net - Email: hardwicke@evishop.net 
exnihujatreetrichmand77.net 
gondorskiedelaahuetebanj88.net 
gotoraininthecharefare88. net 

\i\iputttt9999.info - Email: dolgopoliy.alexei@yandex.ru 
lucams.net - Email: renault@lucams.net 
micnetworklOO.com - Email: 369258wq@sina.com 
musicstudioseattle.net- Email: rexonal948@live.com 
nvufvwieg.com - Email: 369258wq@sina.com 
partyspecialty.su - Email: mipartid@gmx.com 
pinterest. com. onsayoga. net 
quill, com. account.settings, musicstudioseattle. net 
seoworkblog.net - Email: mendhamnewjersey@linuxmail.org 
seoworkblog.net 

tigerdirect. com.secure, orderlogin. asp.palmer-ford, net 
tor-connect-secure.com - Email: 369258wq@sina.com 
vip-proxy-to-tor. com 

Name servers used in these campaigns: 



Name Server: NS1.TEMPLATESWELL.NET- 94.249.254.48 - 
Email: freejob62@rocketmaii. com 

Name Server: NSl.THEGALAXYATWORK.COM - 94.249.254.48 

- Email: samyideaa@yahoo.com 

Name Server: NS1.M0BILE-UNL0CKED.NET- 91.227.220.104 

- Email: usalifecoach47@mail.com 

Name Server: NS2.M0BILE-UNL0CKED.NET - 32.100.2.98 

Name Server: NS1.KNEESLAPPERZ.NET 

Name Server: NS1.MEDUSASCREAM.NET- 37.247.108.250 - 
Email: m _mybad@yahoo.com 

Name Server: NS1.CREDIT-FIND.NET-194.209.82.222 - 
Email: mendhamnewjersey@linuxmail.org 

Name Server: NS1.G0NULPALACE.NET -194.209.82.222 - 
Email: mitinsider@live.com 

Name Server: NS1.NAMASTELEARNING.NET - 93.178.205.234 

- Email: mine!apse2001@outiook.com 

Name Server: NS2.NAMASTELEARNING.NET- 205.28.29.52 

The following malicious MD5s are also known to have 
phoned back to the same IPs/were downloaded from 

the same IPs in the past: 

MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 
MD5: f507b822651d2fbc82a98e4cc7f735a2 


MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 



MD5: f88d6a 7381 cObbacl bl 558533cfdfd62 


MD5: 11be39e64c9926ea39e6b2650624dab4 
MD5: ea893fb04cc536ff692cc3177db7e66f 
MD5: c8f8b4c0fced61 f8a4d3b28542 79b4ef 
MD5: 93bae01631 dl0530a7bac7367458abea 
MD5: 199b8cf0ffd607787907b68c9ebecc8b 
MD5: 6blbef6fb45f5c2d8b46a6eb6a2d5834 
MD5: 9eb6ed284284452f7ale4e3877dded2d 
MD5: efacfl c2c6b33f658c3df6a3edl 70e2d 
MD5: 7c70d5051826c9c93270b8c7fc9d2 76f 
MD5: deb378d6033eed2e01 ff9ab8936050a0 
MD5: 8556f98907fd74be9a9clb3bf602f869 
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Updates will be posted as soon as new developments take 
place. 

1. https://cve.mitre.or g/ca i-bin/cvename.c a i?name=CVE- 
2010-0188 

2 . 

https://www.virustotal.com/en/file/667fc839167456a70f22cf 

5c6ef8f0291d4el399374219469f56472251ec58af/anal vs 

is/1376565463/ 
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The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Three (2013-08-21 20:57) 

Over the years, I've been persistently highlighting the abuse 
of compromised hosts as either 'stepping stones', 

or as the primary facilitators for 'island hopping' campaigns, 
empowering those using them with the necessary 

non-attributable 'know-how' to not just anonymize their 
Internet activities, but also, engineer cyber warfare tensions. 

The utilization of hacked/compromised hosts/PCs as 'island 
hopping' points, or as 'stepping stones', continues 

to take place in 2013, with more managed cybercrime- 
friendly services offering access to compromised hosts 

located virtually all over the World, access to which can be 
bought in a cost-effective manner, thanks to the available 

discounts or price discrimination schemes. 

Catch up with previous research on the topic: 

• [l]The Cost of Anonymizing a Cybercriminal's Internet 
Activities 

• [2]The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Two 

• [3]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [4]Malware Infected Hosts as Stepping Stones 

• [5]Hacked PCs as 'anonymization stepping-stones' service 
operates in the open since 2004 



• [6]'Malware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 

hosts 

• [7]New service converts malware-infected hosts into 
anonymization proxies 

What has changed over the years? Is the once thought the 
be the future of anonymization for cybercrime-friendly 

activities, 'proxy chaining' - think chaining of connections 
between multiple malware-infected hosts - still relevant 

today? Or was the concept largely replaced by log and data 
retention free cybercrime-friendly VPN providers, that 

continue popping up on everyone's radar? 

Since 2010, a HTTPS-supporting, DIY multiple gates 
application (proxy which can be a Socks 4/Socks 5 compro¬ 
mised host given it has been properly configured for the 
purpose) managing, Man-in-the-Middle "attack" performing 

- in order to randomize for anonymization purposes - 
cookie/headers modifying of the requests performed through 

the "chaining" of compromised hosts/servers, has been 
commercially available for cybercriminals to take advantage 

of. 

Let's take a close look at this state of the art gate/proxy 
chaining cybercrime-friendly application. 

Sample screenshots of the application's interface: 
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The application's author is also known to have been released 
custom builds for various cybercrime-friendly forums: 
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Some of its core features include: 

[+] HTTPS support for php-gates, needs OpenSSL 

[+] Ability to set a password on the gate. 

[+] Ability to work with a gate, through any procs (HTTP (S), 
SOCKS4, SOCKS5). 

[+] Working with gated exclusively via the method GET, 
which provides protection from detection by the log files on 


the server. 


[+] Ability to set Cookies, transferred during handling to the 
gate. This is useful for hiding the code in the files of the site 
gate. Format: "cookie = value; cookie2 = 

[+] Processing of each compound is in a separate stream. 

[+] Ability to unlimited downloads and uploads of large files 
(in case of inability to bypass restrictions set_time Jimit () 
can download files in a few times, provided support to 
resume from the target server). 

[+] Preprocessing mechanism optimizes queries under HTTP 
1 . 0 . 

[+] The presence of an encryption key must be specified 
(purely symbolic encryption to hide traffic from prying eyes), 

and all data, including the password for the gate are 
transmitted in encrypted form. Enable / disable the 
encryption 

does not require editing the code gate. 

[+] Ability to work with several gates. In this case, each 
assigned a specific gated User-Agent (assigned by chance) 

that does not allow the target site to link together the 
requests from different gates. 

[+] Ability to add a request to the target site header X- 
Forwarded-For, X-Real-lp and Via with random IP-addresses 
(in 

this case, sites that use mechanisms for determining the 
visitor's IP address on these titles or used mod_realip, will 

benefit from logging bogus addresses, as these headlines 
mislead the site administrator). 



[+] Ability to select the interface to listen to. 

[+] More statistics on network connections, there are 
different levels of profiting queries (and no logs are written 
to 

the file). 

[+] Support chains gates. 

[+]-Chain of 3 modes: 

- Direct sequence (traffic passes through a series of gates 
that you clearly stated) 
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- Random chain (each request is passed through a randomly 
builds a chain of gates) 

- Casual chain with specific output gate time (similar to the 
previous mode, except that the final gate remains constant. 

[+] Ability to speed up surfing through the chain by local 
caching IP-addresses. 

[+] Support for HTTPS gates are not independent of their 
number. 

[+] Using a cascade encryption - the ability to use any 
number of gates with different encryption keys. 

[+] Built-checker gates. 

[+] You can check ail the gates at once, or each gate 
individually when adding / editing. 


[+] Built-in gates. 



[+] Ability to insert code in the gate pre-generated table of 
permutations. This eliminates the need to store the 

encryption key directly to the Gate, and generate a table for 
each access to the gate. 

[+] Automate the process of creating a masked gate with 
Cookies 

[+] Ability to delete from the code perevodoa tines and tabs. 

[+] Ability to set proivolnyh request headers. 

[+] Ability to define hosts, which will be sent to a specific 
heading. 

[+] Ability to temporarily activate / deactivate a specific 
heading. 

[+] Gain Control key to 2048 bits (256 bytes) using md5 

[+] Complete independence from each other bytes 
(including the order of the bytes and encrypted block 
length). 

[+] The variable number of rounds of permutations, 
depending on the key. 

[+] Partly salt as XOR 'a-byte hash key. 

With the ease of assessing a malware-infected host's 
bandwidth thanks to the overall availability of such an 

option among the most popular managed services offering 
access to such hosts, it shouldn't be surprising to consider 

that a potential cybercriminal using this application, would 
be in a perfect position to create - [8]in a DIY fashion 



- a stable anonymous network, to further assist him on his 
way to achieve his fraudulent or purely malicious objectives. 

The bottom line? What's the cost of anonymizing a 
cybercriminal's internet activities? 1,900 rubles or $57.53 

for the application, in this particular case. 

This post has been reproduced from [9]Dancho 
Danchev's blog. Follow him [10]on Twitter. 

1. http://ddanchev.blo as pot.com/2008/10/cost-of- 
anonvmizin a-c vbercriminals.html 

2. http://ddanchev.blo as pot.com/2009/02/cost-of- 
anonvmizin a-c vbercriminals.html 

3. http://ddanchev.blo as pot.com/2010/07/cvbercrimmals-sa l- 
ini ect-cvbercrime.html 

4. http://ddanchev.blo as pot.com/2008/02/malware-infected- 
hosts-as-ste p pin a .html 

5. http://blo a .webroot.com/2Q13/03/20/hacked-pcs-as- 
anonvmization-ste p pin a -stones-service-operates-in-the-o p 

en-since-2004/ 

6. http://blo a .webroot.com/2013/08/02/nnalware-infected- 
hosts-as-ste p pin a -stones-service-offers-access-to-hun 

dreds-of-compromised-u-s-based-hosts/ 

7. http://blo a .webroot.com/2012/03/Q2/new-service- 
converts-malware-infected-hosts-into-anonvmization-proxies/ 


8. http://blo a .webroot.com/ta a /di v/ 










































9. http://ddanchev.blo as pot.com/ 

10. http://twitter.com/danchodanchev 
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Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

(2013-08-22 18:19) 

Continuing the series of blog posts detailing the very latest 
efficiency/quality/scalability/universal business concepts 

oriented underground market propositions for fake IDs, credit 
cards and utility bills, in this post I'll discuss an example 

of market segmentation in terms of supplying them, through 
an ad targeting potential cybercriminals based in France, 

or international cybercriminals wanting to enter the French 
market. 

Catch up with previous research on the topic: 

• [l]Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Docu ments/l Ds/Passports 

What's so special about this underground market 
proposition, anyway? It's the market segmentation taking 
place 





through the eyes of the vendor, as well as the diversity of 
scanned .PSD Photoshop templates, the non-modifiable 

scanned documents, and the actual availability of physical 
fake IDs, all of them exclusively targeting the French 

market segment. 

Sample screenshot of the advertisement: 
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There are several types of vendors contributing to the 
currently mature state of the market for fake IDs/documents, 

or to the cybercrime ecosystem in general. Let's discuss the 
most popular types of market players. 

Among the rarest type of such vendors is the experienced 
one who tends not to advertise at public or com¬ 
mercially accessible cybercrime-friendly communities. 
Although it would seem fairly logical to assume that the 

applied OPSEC (Operational Security) would be directly 
proportional with the decrease in processed orders since it 

would limit the visibility of his services within the cybercrime 
ecosystem, that's not necessarily the case when quality, 

experience, sophisticated, and, of course, high profit margins 
based on perceived value come into play. In between 

the lack of mass advertisements, the vendor would also not 
list his contact details, and would only do business with cy- 


bercriminals with proven reputation within not just the 
community in question, but also, across the entire 
ecosystem. 

Next are those vendors who'd sacrifice OPSEC, for the sake of 
reaching as many customers as possible in an 

attempt to monetize this market 'touch point' with other 
prospective cybercriminals. They advertise on public 

and on commercially accessible cybercrime-friendly 
communities, usually have a decent reputation, with 
generally 

positive feedback from their customers, and of course, never 
fail to 'deliver' what they pitch. 
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There's yet another type of such vendors, worth discussing. 
It's those who 'populate' a newly launched com¬ 
munity with their propositions, and most often target novice 
cybercriminals with zero understanding of cybercrime 

ecosystem reputation dynamics, who are still looking to 
purchase this desired, but largely commoditized 
underg round 

market good. 

With more vendors of fake IDs/documents popping up across 
the entire ecosystem, the series of blog posts 

profiling their activities, are prone to expand. 

This post has been reproduced from [3]Dane ho 
Danchev's blog. Follow him [4]on Twitter 



1. http://ddanchev.blo as pot.com/2013/07/newlv-iaunched- 
scanned-fake.html 

2. http://ddanchev.blo as pot.com/2013/05/a-peek-inside- 
russian-under a round.html 

3. http://ddanchev.blo as pQt.com/ 

4. http://twitter.com/danchodanchev 
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Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

(2013-08-22 18:19) 

Continuing the series of blog posts detailing the very latest 
efficiency/quality/scalability/universal business concepts 

oriented underground market propositions for fake IDs, credit 
cards and utility bills, in this post I'll discuss an example 

of market segmentation in terms of supplying them, through 
an ad targeting potential cybercriminals based in France, 

or international cybercriminals wanting to enter the French 
market. 

Catch up with previous research on the topic: 

• [l]Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Docu ments/l Ds/Passports 














What's so special about this underground market 
proposition, anyway? It's the market segmentation taking 
place 

through the eyes of the vendor, as well as the diversity of 
scanned .PSD Photoshop templates, the non-modifiable 

scanned documents, and the actual availability of physical 
fake IDs, all of them exclusively targeting the French 

market segment. 

Sample screenshot of the advertisement: 
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There are several types of vendors contributing to the 
currently mature state of the market for fake IDs/documents, 

or to the cybercrime ecosystem in general. Let's discuss the 
most popular types of market players. 

Among the rarest type of such vendors is the experienced 
one who tends not to advertise at public or com¬ 
mercially accessible cybercrime-friendly communities. 
Although it would seem fairly logical to assume that the 

applied OPSEC (Operational Security) would be directly 
proportional with the decrease in processed orders since it 

would limit the visibility of his services within the cybercrime 
ecosystem, that's not necessarily the case when quality, 

experience, sophisticated, and, of course, high profit margins 
based on perceived value come into play. In between 


the lack of mass advertisements, the vendor would also not 
list his contact details, and would only do business with cy¬ 
bercriminals with proven reputation within not just the 
community in question, but also, across the entire 
ecosystem. 

Next are those vendors who'd sacrifice OPSEC, for the sake of 
reaching as many customers as possible in an 

attempt to monetize this market 'touch point' with other 
prospective cybercriminals. They advertise on public 

and on commercially accessible cybercrime-friendly 
communities, usually have a decent reputation, with 
generally 

positive feedback from their customers, and of course, never 
fail to 'deliver' what they pitch. 
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There's yet another type of such vendors, worth discussing. 
It's those who 'populate' a newly launched com¬ 
munity with their propositions, and most often target novice 
cybercriminals with zero understanding of cybercrime 

ecosystem reputation dynamics, who are still looking to 
purchase this desired, but largely commoditized 
underg round 

market good. 

With more vendors of fake IDs/documents popping up across 
the entire ecosystem, the series of blog posts 


profiling their activities, are prone to expand. 



1. http://ddanchev.blo as pot.com/2013/07/newlv-iaunched- 
scanned-fake.html 


2. http://ddanchev.blo as pot.com/2013/05/a-oeek-inside- 
russian-under a round.html 
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The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Four (2013-08-23 17:16) 

Continuing the 11 The Cost of Anonymizing a Cybercriminal's 
Internet Activities" series, in this post, I'll profile an API- 
supporting, blackhat SEO-friendly vendor of anonymization 
services, which is currently offering hundreds of 

thousands of compromised SSH accounts, HTTP/HTTPs based 
(compromised) proxies, and the ubiqutous for the 

cybercrime ecosystem, Socks 4/5 servers. 

Catch up with related research on the topic: 

• [l]The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Three 

• [2]The Cost of Anonymizing a Cybercriminal's Internet 
Activities 

• [3]The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Two 

• [4]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [5]Malware Infected Hosts as Stepping Stones 











• [6]Hacked PCs as 'anonymization stepping-stones' service 
operates in the open since 2004 

• [7]'Mai ware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 

hosts 

• [8]New service converts malware-infected hosts into 
anonymization proxies 

The service is currently offering access to 180,331 
compromised SSH accounts, 9597 HTTP/HTTPS 
proxies, and 

110,185 (compromised) Socks servers located virtually 
all over the World. 

How are they gaining access to this accounting data in the 
first place? Despite the overall availability of brute¬ 
forcing tools, in 2013, one of the most popular tactic for 
obtaining stolen/compromised accounting data, remains the 

practice of 'data mining' a botnet's already infected 
'population' for virtually anything kind of accounting data, to 
be 

later on monetized through multiple distribution/abuse 
channels. 

Sample screenshots of the anonymization service: 
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Sample screenshots of the API in action: 
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What's also worth emphasizing on is the fact, that, the 
service is not just targeting potential cybercriminals wanting 
to anonymize their Internet activities, but also, [9]black hat 
SEO monetizers, who now have access to hundreds of 

thousands of fresh Socks servers for the purpose of abusing 
them on their way to monetize their fraudulent/malicious 

campaigns. 

[10]Vertical market integration, or the one-stop-shop 
market model, has always been an inseparable part of 

the cybercrime ecosystem, as it increases the probability 
that a cybercriminal's one-stop-shop would immediately 

occupy a larger market share within the cybercrime 
ecosystem, consequently resulting in more revenue from the 

facilitation of fraudulent and malicious activity. 


Some of the most popular instances of this trendy business 
concept applied by cybercriminals internationally, 

include but are not limited to the following real-life 
underground market propositions: 

• A vendor of [ll]mobile spamming services would not 
only offer the actual spamming process, but also, of¬ 
fer harvested mobile mobile numbers as a value-added 
service, next to the on demand harvesting of mobile 

numbers for any given geographical region. 

• A vendor of [12]managed spam services, would also 
offer the option to buy segmented and geolocated, as well 

as often validated, email addresses, with the ability to 
perform custom harvesting for any given country 

• A [13]vendor of managed iFraming platform would 
also offer access to hijacked traffic to be automatically 

converted to malware-infected hosts through the platform, 
with additional services including as for instance, 

managed crypting of the iFrame/malicious script in real-time 

• An [14]author of Web malware exploitation kit, would 
be also offering managed iFrame/script crypting services 

next to bulletproof hosting in case the customer desires 
those 

The cost of anonymizing a cybercriminal's Internet activities 
in this particular case? The price is shaped based on the 


anonymization method of choice. 



This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 

1. http://ddanchev.blo as pot.com/2013/Q8/the-cost-of- 
anonvmizin a-c vbercriminals.html 

2. http://ddanchev.blo as pot.com/20Q8/10/cost-of- 
anonvmizi n a-c vbercriminals.html 

3. http://ddanchev.blo as pot.com/2009/02/cost-of- 
anonvmizin a-c vbercriminals.html 

4. http://ddanchev.blo as pot.com/2010/Q7/cvbercnminals-sa l- 
ini ect-cvbercrime.html 

5. http://ddanchev.blo as pot.com/2008/Q2/malware-infected- 
hosts-as-ste p pin a .html 

6. http://blo a .webroot.eom/2013/03/20/hacked-pcs-as- 
anonvmization-ste p pin a -stones-service-operates-in-the-o p 

en-since-2004/ 

7. http://blo a .webroot.com/2013/08/Q2/malware-infected- 
hosts-as-ste p pin a -stones-service-offers-access-to-hun 

dreds-of-comoromised-u-s-based-hosts/ 

8. http://blo a .webroot.com/2012/03/Q2/new-service- 
converts-malware-infected-hosts-into-anonvmization-proxies/ 

9. http://ddanchev.blo as pot.com/2013/Q4/whats-roi-on- 
a oin a -to-virtual-biackhat.htmi 

10. http://blo a .webroot.com/2013/01/Q8/black-hole-exploit- 
kit-authors-vertical-market-inte a ration-fuels- a rowt 


h-in-malicious-web-activit v/ 
























































11. http://blo a .webroot.com/2012/05/07/mana a ed-sms- 
s oammin a -services- a oin a -mainstream/ 

12. http://blo a .webroot.com/2012/05/17/a-peek-inside-a- 
mana a ed-soam-service/ 

13. http://blo a .webroot.com/2013/06/03/comoromised- 
ft ossh-account-orivile a e-escalatin a -mass-iframe-embeddin a 

pi atform-released-on-the-under a round-marketplace/ 
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14. http://blo a .webroot.com/2013/01/08/black-hole-exoloit- 
kit-authors-vertical-market-inte a ration-fuels- a rowt 

h-in-malicious-web-activit v/ 

15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 
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Cybercriminals Offer High Quality Plastic U.S Driving 
Licenses/University ID Cards (2013-08-29 02:26) 

Continuing the series of blog posts profiling the most recent 
underground market propositions for high quality fake 

passports/IDs/documents, in this post, I'll emphasize on a 
cybercrime-friendly vendor that's exclusively targeting the 

U.S market. 

Go through previous research into the market for 
fake passports/IDs/documents: 



































• [l]Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Documents/IDs/Passports 

• [3]Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

Offering fake plastic driving licenses for over 25+ U.S States, 
including student IDs for major U.S Universities for a static 
price of $150, the vendor not just currently outperforms 
competing vendors in terms of quality in this particular 
market segment - within the cybercrime-friendly community 
in question - but also, is already receiving recommendations 

from other cybercriminals to raise the price of his 
underground market 'asset', indicating penetration pricing in 
action. 

Payment methods accepted? Bitcoin, Western Union and 
Moneygram. 

Sample underground market ad: 

[VENDOR'S NAME REDACTED] has over 25+ states on tap, 
along with 'secondaries' to offer, all of of which and are 

high quality, meaning in-state without issue, in most cases. 
AH IDs contain UV (where applicable as some states don't), 
multispec-hologram, 1D/2D barcode and/or magstripe that 
will scan/swipe to read DMV/AAMVA license standard. 

The vendor is requiring the following data from his 
potential customers: 



Name - First, Ml, Last 

Address 

DOB 

Sex 

Hair Color 
Height 
Weight 
Eye color 

Driver License number - if a number isn't provided one will 
be randomly generated 

Endorsements and/or Restrictions - if not included these will 
be left blank 

Scanned signature - if not provided you will receive a generic 
font signature 

*****More\Less info may be required depending on the state 
requested 

Scanned passport picture - no webcam pictures can be 
accepted. 

If you cannot get a real passport picture and have a decent 
camera, please take a pic from the chest up against a 

white background/dry wall with the flash 'ON'. I will handle 
the cropping aspect. Also try to have good lighting and 



when scanning use high resolution. You may also upload a 
signature. I ask that this be written using a black sharpie 

style pen to achieve the best results. 
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You may upload this info to sendspace.com or the file¬ 
sharing site of your choosing and forward me the down¬ 
load link. I will confirm reception via email and you order will 
begin processing. AH IDs are 150USD with incentive 

to group buys. Payment can be made via BTC, WU, 
Moneygram. Payment will be collected upon completion and 

approval of your order. 

Sample screenshots of the service's current 
'inventory': 
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The market for fake passports/IDs/documents is prone to 
flourish, as more cybercriminals demand both, scanned, 

and plastic fake IDs to be later one abused in related 
fraudulent schemes. Naturally, the market is quick to supply, 
and 

those who excel in their Operational Security and quality of 
the underground market 'assets', will begin occupying a 

decent market share within this underground market 
segment. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5Jon Twitter. 

1. http://ddanchev.blo as pot.com/2013/07/newlv-launched- 
scanned-fake.html 

2. http://ddanchev.blo as pot.com/2013/05/a-peek-inside- 
russian-under a round.html 

3. http://ddanchev.blo as pot.com/2013/08/vendor-of- 
scanned-fake-ids-credit-cards.html 

4. http://ddanchev.blo as pot.com/ 

5. http://twitter.com/danchodanchev 
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Cybercriminals Offer High Quality Plastic U.S Driving 
Licenses/University ID Cards (2013-08-29 02:26) 

Continuing the series of blog posts profiling the most recent 
underground market propositions for high quality fake 

passports/IDs/documents, in this post, I'll emphasize on a 
cybercrime-friendly vendor that's exclusively targeting the 

U.S market. 

Go through previous research into the market for 
fake passports/IDs/documents: 

• [ljNewly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Docu ments/l Ds/Passports 

• [3]Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

Offering fake plastic driving licenses for over 25+ U.S States, 
including student IDs for major U.S Universities for a static 
price of $150, the vendor not just currently outperforms 
competing vendors in terms of quality in this particular 
market segment - within the cybercrime-friendly community 
in question - but also, is already receiving recommendations 

from other cybercriminals to raise the price of his 
underground market 'asset', indicating penetration pricing in 
action. 



Payment methods accepted? Bitcoin, Western Union and 
Moneygram. 

Sample underground market ad: 

[VENDOR'S NAME REDACTED] has over 25+ states on tap, 
along with 'secondaries' to offer, all of of which and are 

high quality, meaning in-state without issue, in most cases. 
AH IDs contain UV (where applicable as some states don't), 
multispec-hologram, 1D/2D barcode and/or magstripe that 
will scan/swipe to read DMV/AAMVA license standard. 

The vendor is requiring the following data from his 
potential customers: 

Name - First, Ml, Last 

Address 

DOB 

Sex 

Hair Color 
Height 
Weight 
Eye color 

Driver License number - if a number isn't provided one will 
be randomly generated 

Endorsements and/or Restrictions - if not included these will 
be left blank 



Scanned signature - if not provided you will receive a generic 
font signature 

*****More\Less info may be required depending on the state 
requested 

Scanned passport picture - no webcam pictures can be 
accepted. 

If you cannot get a real passport picture and have a decent 
camera, please take a pic from the chest up against a 

white background/drywall with the flash 'ON'. I will handle 
the cropping aspect. Also try to have good lighting and 

when scanning use high resolution. You may also upload a 
signature. I ask that this be written using a black sharpie 

style pen to achieve the best results. 
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You may upload this info to sendspace.com or the file¬ 
sharing site of your choosing and forward me the down¬ 
load link. I will confirm reception via email and you order will 
begin processing. AH IDs are 150USD with incentive 

to group buys. Payment can be made via BTC, WU, 
Moneygram. Payment will be collected upon completion and 

approval of your order. 

Sample screenshots of the service's current 
'inventory': 


729 


£ 

730 

£ 

731 

£ 

732 

E 

733 

E 

734 

E 

735 
El 

736 

E 

737 

E 

738 

E 

739 

E 


740 


£ 

741 

£ 

742 

£ 

743 

K 

744 

R 

745 

K 

746 
K 

747 

£ 

748 

£ 

749 

K 

750 

K 


751 


£ 

752 

£ 

753 

£ 

754 

K 

755 

K 

756 

K 

757 
K 

758 

£ 

759 

£ 

760 

K 

761 

K 


762 


£ 

763 

£ 

764 

£ 

765 

K 

766 

Q 

767 

K 

768 
K 

769 

£ 

770 

£ 

771 

K 

772 

K 


773 


£ 

774 

£ 

775 

£ 

776 

K 

111 

Q 

778 

K 

779 
K 

780 

£ 

781 

£ 

782 

K 

783 

K 


784 


785 

£ 

786 

R 

787 

K 

788 

Q 

789 

790 
K 

791 

£ 

792 

£ 

793 

K 

794 

K 


795 


2 

796 

2 

797 

2 

798 

2 

799 

2 

800 

2 

801 

2 

802 

2 

803 

2 

804 

2 

805 

2 


806 


£ 

807 

£ 

808 

£ 

809 

K 

810 

Q 

811 

K 

812 

£ 

813 

£ 

814 

£ 

815 

K 

816 

K 


817 


£ 

818 

£ 

819 

£ 

820 

E 

821 

E 

822 

E 

823 
El 

824 

E 

825 

E 

826 

E 

827 

E 


828 


E 

829 

£ 

830 

£ 

831 

E 

832 

E 

833 

E 

834 
E 

835 

E 

836 

£ 

837 

El 

838 

E 


839 


£ 

840 

£ 

841 

R 

842 

K 

843 

Q 

844 

K 

845 
K 

846 

£ 

847 

£ 

848 

K 

849 

K 


850 


851 

£ 

852 

£ 

853 

K 

854 

R 

855 

K 

856 




The market for fake passports/IDs/documents is prone to 
flourish, as more cybercriminals demand both, scanned, 

and plastic fake IDs to be later one abused in related 
fraudulent schemes. Naturally, the market is quick to supply, 
and 

those who excel in their Operational Security and quality of 
the underground market 'assets', will begin occupying a 

decent market share within this underground market 
segment. 


1. http://ddanchev.blo as pot.com/2Q13/07/newlv-launched- 
scanned-fake.html 






2. http://ddanchev.blo as pot.com/2013/05/a-peekHnside- 
russian-under a round.html 

3. http://ddanchev.blo as pot.com/2013/08/vendor-of- 
scanned-fake-ids-credit-cards.html 
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Profiling a Novel, High Profit Margins Oriented, 
Legitimate Companies Brand-Jacking Money Mule Re¬ 
cruitment Scheme (2013-08-29 22:41) 

Over the years, I've been actively researching the money 
mule recruitment epidemic, providing actionable (real¬ 
time/historical) intelligence on their activities, exposing 

[1] their DNS infrastructure, offering exclusive peek 
inside 

[2] the Administration Panels utilized by money mules, 

emphasizing on current and emerging tactics applied by the 

individuals orchestrating the final stages of a fraudulent 
operation - the cash out process through basic risk¬ 
forwarding. 

Catch up with previous research on the money mule 
recruitment problem: 

• [3]Spotted: cybercriminals working on new Western Union 
based 'money mule management' script 

• [4]Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

• [5]Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 










• [6]Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

• [7]Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

• [8]Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

• [9]Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

• [10]Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

• [ll]The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

• [12]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

• [13]Money Mule Recruitment Campaign Serving Client- 
Side Exploits 

• [14]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

• [15]Money Mule Recruiters on Yahool's Web Hosting 

• [16]Dissecting an Ongoing Money Mule Recruitment 
Campaign 

• [17]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

• [18]Keeping Reshipping Mule Recruiters on a Short Leash 

• [19]Keeping Money Mule Recruiters on a Short Leash 



• [20]Standardizing the Money Mule Recruitment Process 

• [21]lnside a Money Laundering Group's Spamming 
Operations 

• [22]Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

• [23]Money Mules Syndicate Actively Recruiting Since 2002 
858 

In this post, I'll profile a novel money mule recruitment 
scheme, that involves high profit margins - of course for the 
ones organizing the scheme - through a direct, and most 
importantly, (pseudo) legal brand-jacking of a 

gullible business owner's brand name, enticing him/her into 
opening a merchant account for processing E-commerce 

transactions, coming from more gullible and socially 
engineered mules. 

It all begins with an email coming from a non-existent 
"environmental enterprise", that in this particular case 

is abusing Google's brand in an attempt to increase the 
probability of a successful interaction with the socially 

engineered business owners: 

Sample email: 

Environmental enterprise searching for representation 
internationally 

5 % commission on 200K cash flow originated from 
promotion and sales of proprietary research articles 



Necessary conditions: 

- Own a company - Be reachable on daily basis through E- 
maii, phone or Skype - Proper execution of ail planned 

undertakings 

In case if being interested', please provide: 

- Name and Surname - Age - Telephone number (including 
country code) - City and Country - Email 

Please answer to: NAME@googleapp-consult.com 

Faithfully yours > 

HR dept 

Those who reply are kindly asked to open a merchant bank 
account using their own company data, and assured that, 

despite the fact that the Web site which will be selling the 
bogus 'research articles' will be using their (legitimate) 

business brand's name and contact details, they will still 
receive their 5 % commission on a 200,000/250,000 EUR 

in anticipated revenue, which would naturally be coming 
directly from other mules participating in the fraudulent 

scheme. Moreover, despite that a business owner will have 
his company brand, logo, contact information listed at 

the Web site, he/she will have zero visibility to the non¬ 
existent purchasing process of this research, as " all 
customer service, sales, technical logistics, etc. are to be 
handled by us. " 



Why would a potential cybercrime syndicate want a socially 
engineered business owner to open a merchant 

bank account using his/her own data? Pretty simple. In my 
previous research on [24]the standardization of the 

money mule recruitment process, I emphasized on how 
money mules are often vetted through online-based surveys, 

which always ask important from a mule recruiter's 
perspective question, such as - when did you you first open 
your 

bank account, and do you have any limitations on 
incoming/ongoing monetary transactions on it? 

However, an established company would always benefit from 
the trust it has already established with its fi¬ 
nancial institution/service of choice, meaning that, it will not 
only get its merchant account open, but also, will 

successfully pass the majority of verification protection 
mechanisms for high volume transactions put into the place 

by the financial institution/service in place. 

Sample reply email: 

Thank you for your reply. 

We are a company involved in development, branding and 
launching of several web media and IT projects in¬ 
volved in consulting on green technology, renewables and 
alternative energy sources. Several of the projects are 



being currently launched online and each one will need to 
have a card payment interface. This collaboration refers to 
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opening a merchant account for online credit card 
acceptance (E-commerce). 

We would need your company to open a merchant 
account for card acceptance and handle the 
receivables 

derived from the sales generated by each project. A 

bank/payment provider will facilitate data needed for 
website integration with their E-commerce payment 
gateway. We will handle the technical side of such 
integration in full. 

We will brand the website under your company > 
therefore the administrative company data listed on 
the 

website will be yours, but all customer service, 
technical logistics and sales are to be handled by us. 

The products sold will be proprietary research articles and 
information packages on green technology, renewables and 
alternative 

energy sources. 

Incoming proceedings from sales will be settled by the bank 
(or the payment provider) into your business bank 

account on a time scale defined by the bank (or the payment 
provider). 

These sale proceedings will be transferred to us, minus your 
commission and expenses incurred. The volume of 



monthly payments processed through the merchant 
account will be in the order of EUR 200,000 - EUR 
250,000 per 

month in the initial months. The expected rise is 
roughly 5-6 % every month. The commission proposed 
to you 

stands at 5 % of the mentioned volume. 

All the expenses related to the operation including the 
banking and transactions fees and the merchant ac¬ 
count setup and related fees are to be covered by us. if you 
agree in principle, I will provide the contract draft to 

define the legal terms of our collaboration. 

Yours sincerely, 

Michael Torti 

General Manager 

ECO FIN Projects (Gibraltar) 

Tel/Fax: +350 2006 1287 

Who are ECOFIN Projects (ecofinservices.net - 
50.63.220.106) ? Nothing more than [25]a cybercrime- 
friendly 

"marketing agency" at its best. 
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Sample About Us description: 

Ecofin is offering outstanding solutions which are useful in 
maximizing revenues that are generated through a wide 

range of investment sectors and global assets. A wide range 
of services and financial opportunities are being offered 

for manufacturers, developers, owners as well as financial 
investors interested in our niche investment portfolios and 

services. 

We are operating as a globally safe company as well as 
involving risk and integrity management expertise 

that brings together practical experience along with cutting 
edge, innovative engineering and technologies. The 

company is research based which is primarily focused on 
environmental sectors, alternative energy, infrastructure, as 

well as utility all around the globe. 

The firm is practicing a fundamental and basic approach 
while it comes to managing its clientele assets. Ecofin is 


useful in developing, branding as well as launching exclusive 
information sales podiums based on alternative, as well 

as green technological sources along with IT and web media 
themes. The company is dedicated to providing its clients 

with the highest levels of quality services and investment 
returns within the niche industries that we focus upon. 
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Contact details: 

+350 200 67911 (Gibraltar) 

+852 5808 2461 (Hong Kong) 

+54 11 5984 1154 (Buenos Aires) 

+44 20 3051 6249 (London) 

Skype: ecofin2013 
Suite 4, 209 Main Street 
Gibraltar GBZ1AA 

A potentially socially engineered business owner 
would then be contacted with a similar email: 

Please find the Contract draft attached , review and confirm 
your agreement with every point of it. The next step 

would be to provide the proper company data to be put in 
the contract and produce the final version for the signing. 

Please review the showcase website: 


This site will be copied into a new domain reflecting your 
company name and your company data. 

As indicated , all customer service, sales, technical logistics, 
etc. are to be handled by us. You would need to open a 

merchant account for online credit card acceptance (E- 
commerce). 

The customers will be from all over the world. AH the issues 
related to sales, marketing, customer service, sup¬ 
ply, logistics, etc. are to be handled by us. You will be 
required to open a merchant account for online credit card 

acceptance, receive the funds and transfer us the 
proceedings, as indicated in the contract draft with detail. No 

capital or any upfront payments from your side are required. 
If it is necessary to cover any upfront fees for the 

merchant account establishment, we will transfer such fees 
to you beforehand. 

Sample Web Site Template offered as an example of how a 
socially engineered business owner's company 

branded Web site, would look like (greentechidea.com - 
50.63.39.1): 


866 

£ 

867 


868 


Sample copy of the Contract: 
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Sample domains from the mule recruitment 
campaigns spamvertised over email: 

googleapp-consult. com 

googleapps-euro. com 

worlds-trade. com 

trades-consult. com 

worlds-diploms. com 

Sample name servers involved in the campaign: 


NSl.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 
184.82.204.70 - Email: shanghaiherald32@yahoo.com 

NS2.ELCACAREO.NET - 6.87.78.121 

The same email (shanghaiherald32@yahoo.com) is 
also known to have also been used to register the 
fol¬ 
lowing fraudulent/malicious domains: 

badstylecorps. com 

tvblips.net 

viperlair.net 

[26]"The only green is money". 

This post has been reproduced from [27]Dancho 
Danchev's blog. Follow him [28]on Twitter. 

1. http://ddanchev.blo as pot.com/2010/04/dns-infrastructure- 
of-monev-mule.html 

2. http://ddanchev.blo as pot.com/2009/10/standardizin a- 
monev-mule-recruitment.html 

3. http://blo a .webroot.com/2013/03/22/spotted- 
c vbercriminals-workin a -on-new-western-union-based-mone v- 
mule-m 


ana a ement-scri pt/ 

4. http://ddanchev.blo as pot.com/2011/08/keepin a -mone v- 
mule-recruiters-on-short.html 






















5. http://ddanchev.blo as pot.com/2011/07/keepin a -mone v- 
mule-recruiters-on-short.html 

6. http://ddanchev.blo as pot.com/2011/05/keeoin a -mone v- 
mule-recruiters-on-short 30.html 

7. http://ddanchev.blo as pot.com/2011/05/keepin a -mone v- 
mule-recruiters-on-short 25.html 


8. http://ddanchev.blo as pot.com/2011/05/keepin a -nnone v- 
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Profiling a Novel, High Profit Margins Oriented, 
Legitimate Companies Brand-Jacking Money Mule Re- 















































cruitment Scheme (2013-08-29 22:41) 

Over the years, I've been actively researching the money 
mule recruitment epidemic, providing actionable (real¬ 
time/historical) intelligence on their activities, exposing 

[1] their DNS infrastructure, offering exclusive peek 
inside 

[2] the Administration Panels utilized by money mules, 

emphasizing on current and emerging tactics applied by the 

individuals orchestrating the final stages of a fraudulent 
operation - the cash out process through basic risk¬ 
forwarding. 

Catch up with previous research on the money mule 
recruitment problem: 

• [3]Spotted: cybercriminals working on new Western Union 
based 'money mule management' script 

• [4]Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

• [5]Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 

• [6]Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

• [7]Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

• [8]Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 



• [9]Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

• [10]Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

• [ll]The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

• [12]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

• [13]Money Mule Recruitment Campaign Serving Client- 
Side Exploits 

• [14]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

• [15]Money Mule Recruiters on Yahool's Web Flosting 

• [16]Dissecting an Ongoing Money Mule Recruitment 
Campaign 

• [17]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

• [18]Keeping Reshipping Mule Recruiters on a Short Leash 

• [19]Keeping Money Mule Recruiters on a Short Leash 

• [20]Standardizing the Money Mule Recruitment Process 

• [21 ]lnside a Money Laundering Group's Spamming 
Operations 

• [22]Money Mule Recruiters use ASProx's Fast Fluxing 
Services 



• [23]Money Mules Syndicate Actively Recruiting Since 2002 
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In this post, I'll profile a novel money mule recruitment 
scheme, that involves high profit margins - of course for the 
ones organizing the scheme - through a direct, and most 
importantly, (pseudo) legal brand-jacking of a 

gullible business owner's brand name, enticing him/her into 
opening a merchant account for processing E-commerce 

transactions, coming from more gullible and socially 
engineered mules. 

It all begins with an email coming from a non-existent 
"environmental enterprise", that in this particular case 

is abusing Google's brand in an attempt to increase the 
probability of a successful interaction with the socially 

engineered business owners: 

Sample email: 

Environmental enterprise searching for representation 
internationally 

5 % commission on 200K cash flow originated from 
promotion and sales of proprietary research articles 

Necessary conditions: 

- Own a company - Be reachable on daily basis through E- 
mail, phone or Skype - Proper execution of ail planned 


undertakings 



In case if being interested, please provide: 

- Name and Surname - Age - Telephone number (including 
country code) - City and Country - Email 

Please answer to: NAME@googleapp-consult.com 

Faithfully yours, 

HR dept 

Those who reply are kindly asked to open a merchant bank 
account using their own company data, and assured that, 

despite the fact that the Web site which will be selling the 
bogus 'research articles' will be using their (legitimate) 

business brand's name and contact details, they will still 
receive their 5 % commission on a 200,000/250,000 EUR 

in anticipated revenue, which would naturally be coming 
directly from other mules participating in the fraudulent 

scheme. Moreover, despite that a business owner will have 
his company brand, logo, contact information listed at 

the Web site, he/she will have zero visibility to the non¬ 
existent purchasing process of this research, as 11 all 
customer service, sales, technical logistics, etc. are to be 
handled by us. " 

Why would a potential cybercrime syndicate want a socially 
engineered business owner to open a merchant 

bank account using his/her own data? Pretty simple. In my 
previous research on [24]the standardization of the 



money mule recruitment process, I emphasized on how 
money mules are often vetted through online-based surveys, 

which always ask important from a mule recruiter's 
perspective question, such as - when did you you first open 
your 

bank account, and do you have any limitations on 
incoming/ongoing monetary transactions on it? 

However, an established company would always benefit from 
the trust it has already established with its fi¬ 
nancial institution/service of choice, meaning that, it will not 
only get its merchant account open, but also, will 

successfully pass the majority of verification protection 
mechanisms for high volume transactions put into the place 

by the financial institution/service in place. 

Sample reply email: 

Thank you for your reply. 

We are a company involved in development, branding and 
launching of several web media and IT projects in¬ 
volved in consulting on green technology, renewables and 
alternative energy sources. Several of the projects are 

being currently launched online and each one will need to 
have a card payment interface. This collaboration refers to 
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opening a merchant account for online credit card 
acceptance (E-commerce). 



We would need your company to open a merchant 
account for card acceptance and handle the 
receivables 

derived from the sales generated by each project. A 

bank/payment provider will facilitate data needed for 
website integration with their E-commerce payment 
gateway We will handle the technical side of such 
integration in full. 

We will brand the website under your company, 
therefore the administrative company data listed on 
the 

website will be yours, but all customer service, 
technical logistics and sales are to be handled by us. 

The products sold will be proprietary research articles and 
information packages on green technology, renewables and 
alternative 

energy sources. 

incoming proceedings from sales will be settled by the bank 
(or the payment provider) into your business bank 

account on a time scale defined by the bank (or the payment 
provider). 

These sale proceedings will be transferred to us, minus your 
commission and expenses incurred. The volume of 

monthly payments processed through the merchant 
account will be in the order of EUR 200,000 - EUR 
250,000 per 

month in the initial months. The expected rise is 
roughly 5-6 % every month. The commission proposed 



to you 

stands at 5 % of the mentioned volume. 

All the expenses related to the operation including the 
banking and transactions fees and the merchant ac¬ 
count setup and related fees are to be covered by us. If you 
agree in principle, I will provide the contract draft to 

define the legal terms of our collaboration. 

Yours sincerely, 

Michael Torti 

General Manager 

ECO FIN Projects (Gibraltar) 

Tel/Fax: +350 2006 1287 

Who are ECOFIN Projects (ecofinservices.net - 
50 . 63 . 220 . 106 ) ? Nothing more than [25]a cybercrime- 
friendly 

"marketing agency" at its best. 
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Sample About Us description: 

Ecofin is offering outstanding solutions which are useful in 
maximizing revenues that are generated through a wide 

range of investment sectors and global assets. A wide range 
of services and financial opportunities are being offered 

for manufacturers, developers, owners as well as financial 
investors interested in our niche investment portfolios and 

services. 

We are operating as a globally safe company as well as 
involving risk and integrity management expertise 

that brings together practical experience along with cutting 
edge, innovative engineering and technologies. The 

company is research based which is primarily focused on 
environmental sectors, alternative energy, infrastructure, as 

well as utility all around the globe. 

The firm is practicing a fundamental and basic approach 
while it comes to managing its clientele assets. Ecofin is 

useful in developing, branding as well as launching exclusive 
information sales podiurns based on alternative, as well 


as green technological sources along with IT and web media 
themes. The company is dedicated to providing its clients 

with the highest levels of quality services and investment 
returns within the niche industries that we focus upon. 
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Contact details: 

+350 200 67911 (Gibraltar) 

+852 5808 2461 (Hong Kong) 

+54 11 5984 1154 (Buenos Aires) 

+44 20 3051 6249 (London) 

Skype: ecofin2013 
Suite 4, 209 Main Street 
Gibraltar GBZ1AA 

A potentially socially engineered business owner 
would then be contacted with a similar email: 

Please find the Contract draft attached, review and confirm 
your agreement with every point of it. The next step 

would be to provide the proper company data to be put in 
the contract and produce the final version for the signing. 

Please review the showcase website: 

This site will be copied into a new domain reflecting your 
company name and your company data. 


As indicated , all customer service, sales, technical logistics, 
etc. are to be handled by us. You would need to open a 

merchant account for online credit card acceptance (E- 
commerce). 

The customers will be from all over the world. AH the issues 
related to sales, marketing, customer service, sup¬ 
ply, logistics, etc. are to be handled by us. You will be 
required to open a merchant account for online credit card 

acceptance, receive the funds and transfer us the 
proceedings, as indicated in the contract draft with detail. No 

capital or any upfront payments from your side are required, 
if it is necessary to cover any upfront fees for the 

merchant account establishment, we will transfer such fees 
to you beforehand. 

Sample Web Site Template offered as an example of how a 
socially engineered business owner's company 

branded Web site, would look like (greentechidea.com - 
50 . 63 . 39 . 1 ): 
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Sample copy of the Contract: 
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Sample domains from the mule recruitment 
campaigns spamvertised over email: 

googleapp-consult. com 

googleapps-euro. com 

worlds-trade. com 

trades-consult. com 

worlds-diploms. com 

Sample name servers involved in the campaign: 


NSl.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 
184.82.204.70 - Email: shanghaiherald32@yahoo.com 

NS2.ELCACAREO.NET - 6.87.78.121 

The same email (shanghaiherald32@yahoo.com) is 
also known to have also been used to register the 
fol¬ 
lowing fraudulent/malicious domains: 

badstylecorps. com 

tvblips.net 

viperlair.net 

[26]"The only green is money". 

This post has been reproduced from [27]Dancho 
Danchev's blog. Follow him [28]on Twitter. 
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Summarizing Webroot's Threat Blog Posts for August 
(2013-08-30 14:11) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for August, 2013. You can 
subscribe 

to [2]Webroot f s Threat Blog RSS Feed, or follow me on 
Twitter: 

01. [3]'Malware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 

hosts 

02. [4]New 'Hacked shells as a service' empowers 
cybercriminals with access to high page rank-ed Web sites 

03. [5]Fake 'iPhone Picture Snapshot Message' themed 
emails lead to malware 

04. [6]Malicious Bank of America (BofA) 'Statement of 
Expenses' themed emails lead to client-side exploits and 

malware 

05. [7]Cybercriminals spamvertise fake '02 U.KMMS' 
themed emails, serve malware 

06. [8]One-stop-shop for spammers offers DKIM-verified 
SMTP servers, harvested email databases and training to 

potential customers 

07. [9]Fake 'Apple Store Gift Card' themed emails serve 
client-side exploits and malware 



08 . [10]Newly launched managed 'malware dropping' 
service spotted in the wild 

09 . [ll]Cybercrime-friendly underground traffic exchange 
helps facilitate fraudulent and malicious activity 

10 . [12]From Vietnam with tens of millions of harvested 
emails, spam-ready SMTP servers and DIY spamming tools 

11 . [13]DIY Craigslist email collecting tools empower 
spammers with access to fresh/valid email addresses 

12 . [14]Bulletproof TDS/Doorways/Pharma/Spam/Warez 
hosting service operates in the open since 2009 
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13 . [15]DIY automatic cybercrime-friendly 'redirectors 
generating' service spotted in the wild 

14 . [16]Cybercriminals offer spam-ready SMTP servers for 
rent/direct managed purchase 

15 . [17]Cybercrime-friendly underground traffic exchanges 
help facilitate fraudulent and malicious activity - part 

two 

This post has been reproduced from [18]Dancho 
Danchev's blog . Follow him [19]on Twitter. 
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Rogue iFrame Injected Web Sites Lead to the 
AndroidOS/Fakelnst/Trojan-SMS.J2ME.JiFake Mobile 
Mal¬ 
ware (2013-09-16 14:29) 

A currently ongoing malicious campaign relying on injected 
iFrames at legitimate Web sites, successfully [ljsegments 

mobile traffic, and exposes mobile users to fraudulent 
legitimately looking variants of the 

AndroidOS/Fakelnst/TrojanSMS.J2ME.JiFake mobile malware. 

Let's dissect the campaign, expose the domains portfolio 
currently/historically known to have been involved 

in this campaign, as well as list all the malicious MD5s known 
to have been pushed by it. 

iFrame injected domains containing the mobile traffic 
segmentation script parked on the same IP: 

asphalt7-android. org - 93.170.109.193 

fifal2-android. org 

gta3-android. org 

fruit-ninja-android, org 


wildblood-android. org 
osmos-android. org 
moderncombat-android. org 
minecraft-android. org 
googlanalytics. ws 
getinternet. ws 
ddlloads.com 
googlecount. ws 
opera-com.com 
opgrade. ws 
statuses, ws 
ya-googl. ws 
ya direct, ws 
yandex-google. ws 
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Sample mobile malware MD5s pushed by the 
campaign: 


[2] MD5: e77f3bffel8fb9f5alble5e6a0b8aaf8 

[3] 


MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2[4] 

[5] 

MD5: 9348b5al3278ccl01ae95cb2a88fe403[6] 

[7] MD5: f4966c315dafa7e39ad78e31e599e8d0 

[8] MD5: 6f839dd29d2c7807043d06bal9e9c916 

[9] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[10] MD5: 4e5af55dd6a310bced83eb08c9a635b3 
Phone back location: 

hxxp://depositmobi.com/getTask.php/task=updateOpening 
&s=- 93.170.107.130 

Parked on the same IP (93.170.107.130) are also the 
following domains participating in the campaign's in¬ 
frastructure: 

123diskapp.com 

1 gameminecraft. ru 

2010mobile.ru 

absex.ru 

900 

ammia.info 


and4mobiles.ru 
android-apk-file. ru 



android-games-skachat. ru. com 

android-key.ru 

android-market-apk. ru 

android-market-cools, ru 

android-vk. com 

android7s.ru 

androidcool. tk 

androiderus. com 

androidnns.ru 

androidone.net 

androidperfomance. com 

androids-market. ru 

androidupos.ru 

24-android.ru 

online-android, ru 

moiandroid.ru 

ktozdesj.ru 

super-androids, ru 

The following malicious mobile malware MD5s are 
known to have phoned back to the same IP in the 
past: 



[11] MD5: 572b07bd031649d4a82bb392156b25c6 

[12] MD5: 9685ff439e610fa8f874bf216fa47eee 

[13] MD5: 6d9dd3c9671d3d88fl6071fl483faal2 

[14] MD5: 276b77b3242cb0f767bfba0009bcf3e7 

[15] MD5: aefdbdee7f873441b9d53500elaf34fa 

What's also worth emphasizing on is that we've also got 
decent number of malicious Windows samples 

known to have phoned back to the same IP in the past, 
presumably in an attempt by fellow cybercriminals to 

monetize the traffic through an affiliate program. 

MD5: bac8f2c5d0583ee8477d79dc52414bf5 

MD5: alae35eadf7599d2f661a9ca7f0f2150 

MD5: 419fdb78356eaf61f9445cf828b3e5cf 

MD5: abce96eaa7c345c2c3a89a8307524001 

MD5: 93dlldcllcccc5ac5ald57edce73ea07 

MD5: 53bbad9018cd53dl6fbla21bd4738619 

MD5: 15f3eca26f6c8dl2969ffbldbeead236 

MD5: 72c6cl4f9bab8ff95dbaf491f2a2aff6 

MD5: a282b40d654fee59a586b89alal2cac2 

MD5: e0798c635d263fl5ab54a839bf6bac7f 

MD5: 7bld8820cc012deac282fc72471310bd 



MD5: 21fdbb9e9el3297ael2768764el69fb4 
MD5: 47fa4a3a7d94dad9faclcbdc07862496 
MD5: 5e9321027c73175cf6ff862019c90af7 
MD5: cfbaccc61dc51b805673000d09e99024 
MD5: 8bc4ddlaff76fd4d2513af4538626033 
MD5: f6a622f76bl8d3fa431a34eb33be4619 
MD5: c068dll293fcl4bebdf3b3827e0006ac 
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MD5: d68338a37f62e26e701dfe45a2f9cbf2 

MD5:elc9562b6666d9915c7748c25376416f 

MD5:Idccdl4b23698ecc7c5a4b9099954ae4 

MD5: 47601e9f8b624464b63d499af60f6cl8 

Actual download location of a sample mobile malware 
sample: 

hxxp.-//media works3. com/getfile.php?dtype=dle &u=getfl 
&d=FLVPLayer- 78.140.131.124 

The following mobile malware serving domains are 
also known to have responded to the same IP 
( 78 . 140 . 131 . 124 ) 

in the past: 

4apkser.ru 


absex.ru 


agw-railway. com 

androedis.ru 

android-apk-file. ru 

android-update, name 

android6s.ru 

android7s.ru 

androidappfile. name 

androidaps.ru 

androidbizarre. com 

androidilve.ru 

androido vn loads, com 

androidupss.ru 

apk-load.ru 
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apkzona.ru 
bali-special.ru 
com-opera.com 
dmi-site.ru 
download-opera, com 



As well as the following malicious MD5s: 

[16] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[17] MD5: 4e5af55dd6a310bced83eb08c9a635b3 

Thanks to the commercial availability of [18]DIY iFrame 
injecting platforms, the current [19]commoditization 

of hacked/compromised accounts across multiple 
verticals, the [20]efficiency-oriented mass SQL injection 
cam¬ 
paigns, as well as the existence of beneath the radar 
[21]malvertising campaigns, cybercriminals are perfectly 
positioned to continue monetizing mobile traffic for 
fraudulent/malicious purposes. 

This post has been reproduced from [22]Dancho 
Danchev's blog . Follow him [23Jon Twitter. 
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Rogue iFrame Injected Web Sites Lead to the 
AndroidOS/Fakelnst/Trojan-SMS.J2ME.JiFake Mobile 
Mal¬ 
ware (2013-09-16 14:29) 

A currently ongoing malicious campaign relying on injected 
iFrames at legitimate Web sites, successfully [ljsegments 

mobile traffic, and exposes mobile users to fraudulent 
legitimately looking variants of the 

AndroidOS/Fakelnst/TrojanSMS.J2ME.JiFake mobile malware. 



























Let's dissect the campaign, expose the domains portfolio 
currently/historically known to have been involved 

in this campaign, as well as list all the malicious MD5s known 
to have been pushed by it. 

iFrame injected domains containing the mobile traffic 
segmentation script parked on the same IP: 

asphalt7-android. org - 93.170.109.193 

fifal2-android. org 



gta3-android. org 
fruit-ninja-android, org 
wildblood-android. org 
osmos-android. org 
moderncombat-android. org 
minecraft-android. org 
googianaiytics. ws 
getinternet. ws 
ddlloads.com 
googlecount. ws 
opera-com.com 
opgrade. ws 
statuses.ws 
ya-googl.ws 
ya direct, ws 
yandex-googie. ws 
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Sample mobile malware MD5s pushed by the 
campaign: 


[2] MD5: e77f3bffel8fb9f5alble5e6a0b8aaf8 

[3] 

MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2[4] 

[5] 

MD5: 9348b5al3278ccl01ae95cb2a88fe403[6] 

[7] MD5: f4966c315dafa7e39ad78e31e599e8d0 

[8] MD5: 6f839dd29d2c7807043d06bal9e9c916 

[9] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[10] MD5: 4e5af55dd6a310bced83eb08c9a635b3 
Phone back location: 

hxxp://depositmobi.com/getTask.php/task=updateOpening 
&s=- 93.170.107.130 

Parked on the same IP (93.170.107.130) are also the 
following domains participating in the campaign's in¬ 
frastructure: 

123diskapp.com 

1 gameminecraft. ru 

2010mobile.ru 

absex.ru 
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and4mobiles.ru 


android-apk-file. ru 

android-games-skachat. ru. com 

android-key.ru 

android-market-apk. ru 

android-market-cools, ru 

android-vk.com 

android7s.ru 

androidcooi. tk 

androiderus. com 

androidnns.ru 

androidone.net 

androidperfomance. com 

androids-market. ru 

androidupos.ru 

24-android.ru 

online-android, ru 

moiandroid.ru 

ktozdesj.ru 

super-androids, ru 



The following malicious mobile malware MD5s are 
known to have phoned back to the same IP in the 
past: 

[11] MD5: 572b07bd031649d4a82bb392156b25c6 

[12] MD5: 9685ff439e610fa8f874bf216fa47eee 

[13] MD5: 6d9dd3c9671d3d88fl6071fl483faal2 

[14] MD5: 276b77b3242cb0f767bfba0009bcf3e7 

[15] MD5: aefdbdee7f873441b9d53500elaf34fa 

What's also worth emphasizing on is that we've also got a 
decent number of malicious Windows samples 

known to have phoned back to the same IP in the past, 
presumably in an attempt by fellow cybercriminals to 

monetize the traffic through an affiliate program. 

MD5: bac8f2c5d0583ee8477d79dc52414bf5 

MD5: alae35eadf7599d2f661a9ca7f0f2150 

MD5: 419fdb78356eaf61f9445cf828b3e5cf 

MD5:abce96eaa7c345c2c3a89a8307524001 

MD5: 93dlldcllcccc5ac5ald57edce73ea07 

MD5: 53bbad9018cd53dl6fbla21bd4738619 

MD5: 15f3eca26f6c8dl2969ffbldbeead236 


MD5: 72c6cl4f9bab8ff95dbaf491f2a2aff6 



MD5: a282b40d654fee59a586b89alal2cac2 
MD5: e0798c635d263fl5ab54a839bf6bac7f 
MD5: 7bld8820cc012deac282fc72471310bd 
MD5: 21fdbb9e9el3297ael2768764el69fb4 
MD5: 47fa4a3a7d94dad9faclcbdc07862496 
MD5: 5e9321027c73175cf6ff862019c90af7 
MD5: cfbaccc61dc51b805673000d09e99024 
MD5: 8bc4ddlaff76fd4d2513af4538626033 
MD5: f6a622f76bl8d3fa431a34eb33be4619 
MD5: c068dll293fcl4bebdf3b3827e0006ac 
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MD5: d68338a37f62e26e701dfe45a2f9cbf2 

MD5:elc9562b6666d9915c7748c25376416f 

MD5:Idccdl4b23698ecc7c5a4b9099954ae4 

MD5: 47601e9f8b624464b63d499af60f6cl8 

Actual download location of a sample mobile malware 
sample: 

hxxp://mediaworks3.com/getfile.php?dtype=dle &u=getf1 
&d=FLVPLayer- 78.140.131.124 


The following mobile malware serving domains are 
also known to have responded to the same IP 
(78.140.131.124) 

in the past: 

4apkser.ru 

absex.ru 

a g w-rail way. com 

androedis.ru 

android-apk-file. ru 

android-update, name 

android6s.ru 

android7s.ru 

androidappfile.name 

androidaps.ru 

androidbizarre. com 

androidilve.ru 

androidovnloads. com 

androidupss.ru 

apk-ioad.ru 
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apkzona.ru 



bali-special.ru 

com-opera.com 

dmi-site.ru 

download-opera.com 

As well as the following malicious MD5s: 

[16] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[17] MD5: 4e5af55dd6a310bced83eb08c9a635b3 

Thanks to the commercial availability of [18]DIY iFrame 
injecting platforms, the current [19]commoditization 

of hacked/compromised accounts across multiple 
verticals, the [20]efficiency-oriented mass SQL 
injection cam¬ 
paigns, as well as the existence of beneath the radar 
[21]malvertising campaigns, cybercriminals are perfectly 
positioned to continue monetizing mobile traffic for 
fraudulent/malicious purposes. 

Updates will be posted as soon as new developments 
take place. 
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Dissecting FireEye's Career Web Site Compromise 
(2013-09-18 19:41) 

Remember when back in 2010, I established a direct 
connection between several [l]mass Wordpress blogs 
com- 




























promise campaigns, with the campaign behind the 

[2]compromised Web site of the U.S. Treasury, 

prompting the 

cybercriminal(s) behind it to [3]redirect all the campaign 
traffic to my Blogger profile? 

It appears that the cybercriminal/gang of cybercriminals 
behind these mass Web site compromise campaigns 

is/are not just [4]still in business, but also - Long Tail of 
the malicious Web - [5]managed to infect FireEye' 
(external network) Careers Web Site. 

Let's dissect the campaign, expose the malicious domains 
portfolio behind it, provide MD5s for a sample ex¬ 
ploit, the dropped malware, and connect it to related 
malicious campaigns, all of which continue to share the 
same 

malicious infrastructure. 

Sample redirection chain: 

hxxp://vjs.zencdn.net/c/video.js 

-> 

hxxp://cdn .adsbarscipt. com/I inks/jump/ 

(198.7.59.235; 

63.247.93.69; 

69.39.238.28; 


74.81.94.44) 



(IE) 

-> 

hxxp://cdn.adsbarscipt. com/links/flash/?updne w 
(CHROME) 

-> 

hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb 0 73 
5cd/face-book.php 

Detection rate for a sample malicious script found 
on the client-side exploits serving site: 

[6] MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected 
by 1 out of 49 antivirus scanners as Trojan.Script.Heuristic- 

js.iacgm 

Sample detection rate for the served client-side 
exploit: 

[7] MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected 
by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE- 

2012-1723.gen; HEUR JAVA.EXEC 

Detection rate for a sample dropped malware: 

[8] MD5: 

4bfb3379a2814f5eb67345d43bce3091 - detected by 15 
out of 49 antivirus scanners as Trojan- 

PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C 



The following malicious MD5s are known to have 
been downloaded from the same IPs 
(cdn.adsbarscipt.com 

(198.7.59.235; 63.247.93.69; 69.39.238.28; 
74.81.94.44): 

[9] MD5:82el013106736b74255586169a217d66 

[10] MD5: 01771c3500a5bl543f4fb43945337c7d 

[11] MD5: dbf6f5373f56f67e843af30fded5c7f2 
911 

Additionally, the campaign is also known to have dropped 

[12] MD5: 01771c3500a5bl543f4fb43945337c7d 

Once executed, the most recently dropped sample 
(MD5: 

4bfb3379a2814f5eb67345d43bce3091) phones 

back to the following C &C servers: 

main-firewalls.com (67.228.177.174; 74.204.171.69; 
85.195.104.90) - Email: alexl978a@bigmir.net 

simple-cdn-node.com (109.120.143.109) - Email: 
alexl978a@bigmir.net 

akamai.com/gate.php 

Deja vu! We've already seen alexl978a@bigmir.net in 

[13] Network Solution's (2010) mass Wordpress blogs 


compromise, a campaign which is also directly connected 
with [14]the compromise of the Web site of the U.S 



Treasury. 

The sample also attempts to download the following 
additional malware variants: 

main-fire walls, com/6, exe 

main-fire walls, com/1. exe 

simpie-cdn-node.com/1.exe - [15]MD5: 
05d003a374a29c9c2bbc250dd5c56d7c 

Responding to 67.228.177.174 are also the following 
malicious domains: 

aodairangdong. com 

bolsaminimall. com 

catch-cdn.com 

corp- fire wall, com 

himarkrealty. com 

ngnetworld.com 

ritz-entertainment. com 

server, e vietmusic. com 

viettv24.com 

vpoptv.com 

plussolarsolutions. com 


artistfio wer. com 



a utoairsystems. com 
eighteas. com 
greenpowersurvey. com 
phattubi.com 
ritz-entertainment. com 
saigoncitymall. com 

The following malicious MD5s are also known to 
have phoned back to the same IP (67.228.177.174) 
in the 

past: 

MD5: 05636d38090e5726077cea54d2485806 
MD5: 53b73675flb08cf7ecfc3c80677c8d2e 
MD5: 0f424ff9db97dafaba746f26d6d8d5c0 
MD5: 633d6de861edc2ecf667f02d0997fl0e 
MD5: dl3ead2b8a424b5e9c5977f8715514c4 
MD5: bfc9803c94cc8ba76a916f8e915042e4 
MD5: a04d33ced90f72cla77f312708681c07 
MD5: 7e6el5518cc48639612aa4ff00a2a454 
MD5: 98d78ef8cc5aeel93a7b7a3c3bb58c87 
MD5: a030d6e35d736db9dd433a8d2ac8a915 
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MD5: If7a6ed70be6el3efb45e5ba80eed76e 


MD5: cfc727a0ad51eblfll 1305873d2ade04 
MD5: Ib6de030ed3b42e939690630f63d6933 
MD5: fa9e92d42580el789ed04e551a379e4e 
MD5: 2ed9d63e4d557667bad7806872cf4412 
MD5: befl6d25b2cada2a388ea06c204b44f3 
MD5: 77a93ba48d6532e069745bcall7d26ed 
MD5: 7c7e4cef8a7181f7982a841f7f752368 
MD5: 57b5e6f38998e32fa93856970cc66c5e 
MD5: 5d388blf2bf2dc9493f5c4cfb9d53ca0 
MD5: ec24a959e39c5d2eb7dc769f4b098efb 
MD5: 6357085196499ef5301548ffl7b62619 
MD5: 3173d4be34f489a4630f2439f9653c2c 
MD5: 3bd239ee46ab8ba02f57edl762bd3ae6 
MD5: dce3e33eb294f0a7688be5bea6b7e9d4 
MD5: Ied678e9d29c25043fddlb4c44f5b2ea 
MD5: eccce6f5f509f4ef986d426445a98f0d 
MD5: 74ele2f2d562ab6883124cfa43300cf2 


MD5: 6922efa2e5aal6b78c982d633cbe44e9 



Responding to 85.195.104.90 are also the following 
malicious domains: 

catch-cdn.com 

corp- fire wall, com 

kronoemail.com 

main-firewalls, com 

viacominfosys. com 

emaUdatastore. com 

The following malicious MD5s are also known to 
have phoned back to the same IP (85.195.104.90) in 
the 

past: 

MD5:88110dbce9591b68b06b859e7965d509 
MD5: 0e055888564fb59cb6d4e35a5c5fb33d 
MD5: e9d8d2842b576fd4f6ef9ddelfea4b9f 
MD5: e75003Ifc9b9264852133d8f7284ac7a 
MD5: e0da2ca4e9al74cd3c6f8a348e4861ad 
MD5: b23a579d7b8bf5a03cl21d2f74234b2d 
MD5: alee5246d984d900f27ce94fbfc37c2b 
MD5: 2118a70a2ccf0a7772725e765ad64e08 
MD5: f26848e64040b4b6614d95bd967045df 



MD5: 9c5997b32bea6945f0cb9ff0cl8cf040 


MD5: 353305483087a5316fd75f63d641eclf 
MD5: 34e67771ca411bl63866fle795b2e72e 
MD5: 571e04b5af915979efc5a7f77794facb 
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76 
MD5: e2137edd5f550bl942cl6e70095c436b 
MD5:97437f6d670db2596b6a6b53c887055c 

Such type of factual attribution based on gathered historical 
OSINT, isn't surprising, thanks to the fact that de¬ 
spite the increasing number of novice cybercriminals joining 
the ecosystem, the "usual suspects" continue operating for 
the sake of achieving their fraudulent and malicious 
objectives. 
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This post has been reproduced from [16]Dancho 
Danchev's blog . Follow him [17Jon Twitter. 

1. http://ddanchev.blo as pot.com/2QlQ/Q4/dissectin a- 
wordpress-blo a s-compromise.html 

2. http://ddanchev.blo as pot.com/2QlQ/Q5/us-treasurv-site- 
compromise-linked-to.html 
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Dissecting FireEye's Career Web Site Compromise 
(2013-09-18 19:41) 






















Remember when back in 2010, I established a direct 
connection between several [l]mass Wordpress blogs 
com¬ 
promise campaigns, with the campaign behind the 

[2]compromised Web site of the U.S. Treasury, 

prompting the 

cybercriminal(s) behind it to [3]redirect all the campaign 
traffic to my Blogger profile? 

It appears that the cybercriminal/gang of cybercriminals 
behind these mass Web site compromise campaigns 

is/are not just [4]still in business, but also - Long Tail of 
the malicious Web - [5]managed to infect FireEye' 
(external network) Careers Web Site. 

Let's dissect the campaign, expose the malicious domains 
portfolio behind it, provide MD5s for a sample ex¬ 
ploit, the dropped malware, and connect it to related 
malicious campaigns, all of which continue to share the 
same 

malicious infrastructure. 

Sample redirection chain: 

hxxp://vjs.zencdn.net/c/video.js 

-> 

hxxp://cdn .adsbarscipt. com/Iinks/jump/ 

(198.7.59.235; 


63.247.93.69; 



69.39.238.28; 

74.81.94.44) 

(IE) 

-> 

hxxp://cdn .adsbarscipt. com/links/flash/?updne w 
(CHROME) 

-> 

hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb073 
5cd/face-book.php 

Detection rate for a sample malicious script found 
on the client-side exploits serving site: 

[6] MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected 
by 1 out of 49 antivirus scanners as Trojan.Script.Heuristic- 

js.iacgm 

Sample detection rate for the served client-side 
exploit: 

[7] MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected 
by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE- 

2012-1723.gen; HEUR JAVA.EXEC 

Detection rate for a sample dropped malware: 

[8] MD5: 



4bfb3379a2814f5eb67345d43bce3091 - detected by 15 
out of 49 antivirus scanners as Trojan- 

PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C 

The following malicious MD5s are known to have 
been downloaded from the same IPs 
(cdn.adsbarscipt.com 

(198.7.59.235; 63.247.93.69; 69.39.238.28; 
74.81.94.44): 

[9] MD5:82el013106736b74255586169a217d66 

[10] MD5: 01771c3500a5bl543f4fb43945337c7d 

[11] MD5: dbf6f5373f56f67e843af30fded5c7f2 
915 

Additionally, the campaign is also known to have dropped 

[12] MD5: 01771c3500a5bl543f4fb43945337c7d 

Once executed, the most recently dropped sample 
(MD5: 

4bfb3379a2814f5eb67345d43bce3091) phones 

back to the following C &C servers: 

main-firewalls.com (67.228.177.174; 74.204.171.69; 
85.195.104.90) - Email: alexl978a@bigmir.net 

simple-cdn-node.com (109.120.143.109) - Email: 
alexl978a@bigmir.net 


akamai.com/gate.php 



Deja vu! We've already seen alexl978a@bigmir.net in 

[13]Network Solution's (2010) mass Wordpress blogs 

compromise, a campaign which is also directly connected 
with [14]the compromise of the Web site of the U.S 

Treasury. 

The sample also attempts to download the following 
additional malware variants: 

main-fire walls, com/6, exe 

main-fire walls, com/1. exe 

simpie-cdn-node. com/1. exe - [ 1 5 ] M D5: 

05d003a374a29c9c2bbc250dd5c56d7c 

Responding to 67.228.177.174 are also the following 
malicious domains: 

aodairangdong. com 

bolsaminimall. com 

catch-cdn.com 

corp- fire wall, com 

himarkrealty. com 

ngnetworld.com 

ritz-entertainment. com 

server, e vietmusic. com 


viettv24. com 



vpoptv.com 

plussolarsolutions. com 
artistflo wer. com 
a utoairsystems. com 
eighteas.com 
greenpowersurvey. com 
phattubi.com 
ritz-entertainment. com 
saigoncitymall. com 

The following malicious MD5s are also known to 
have phoned back to the same IP (67.228.177.174) 
in the 

past: 

MD5: 05636d38090e5726077cea54d2485806 
MD5: 53b73675flb08cf7ecfc3c80677c8d2e 
MD5: 0f424ff9db97dafaba746f26d6d8d5c0 
MD5: 633d6de861edc2ecf667f02d0997fl0e 
MD5: dl3ead2b8a424b5e9c5977f8715514c4 
MD5: bfc9803c94cc8ba76a916f8e915042e4 
MD5: a04d33ced90f72cla77f312708681c07 
MD5: 7e6el5518cc48639612aa4ff00a2a454 



MD5: 98d78ef8cc5aeel93a7b7a3c3bb58c87 


MD5: a030d6e35d736db9dd433a8d2ac8a915 
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MD5: If7a6ed70be6el3efb45e5ba80eed76e 
MD5: cfc727a0ad51eblfll 1305873d2ade04 
MD5: Ib6de030ed3b42e939690630f63d6933 
MD5: fa9e92d42580el789ed04e551a379e4e 
MD5: 2ed9d63e4d557667bad7806872cf4412 
MD5: befl6d25b2cada2a388ea06c204b44f3 
MD5: 77a93ba48d6532e069745bcall7d26ed 
MD5: 7c7e4cef8a7181f7982a841f7f752368 
MD5: 57b5e6f38998e32fa93856970cc66c5e 
MD5: 5d388blf2bf2dc9493f5c4cfb9d53ca0 
MD5: ec24a959e39c5d2eb7dc769f4b098efb 
MD5: 6357085196499ef5301548ffl7b62619 
MD5: 3173d4be34f489a4630f2439f9653c2c 
MD5: 3bd239ee46ab8ba02f57edl762bd3ae6 
MD5: dce3e33eb294f0a7688be5bea6b7e9d4 
MD5: Ied678e9d29c25043fddlb4c44f5b2ea 
MD5: eccce6f5f509f4ef986d426445a98f0d 



MD5: 74ele2f2d562ab6883124cfa43300cf2 


MD5: 6922efa2e5aal6b78c982d633cbe44e9 

Responding to 85.195.104.90 are also the following 
malicious domains: 

catch-cdn.com 

corp-fire wall, com 

kronoemail.com 

main-firewalls, com 

viacominfosys. com 

emaildatastore. com 

The following malicious MD5s are also known to 
have phoned back to the same IP (85.195.104.90) in 
the 

past: 

MD5:88110dbce9591b68b06b859e7965d509 
MD5: 0e055888564fb59cb6d4e35a5c5fb33d 
MD5: e9d8d2842b576fd4f6ef9ddelfea4b9f 
MD5: e75003Ifc9b9264852133d8f7284ac7a 
MD5: e0da2ca4e9al74cd3c6f8a348e4861ad 
MD5: b23a579d7b8bf5a03cl21d2f74234b2d 
MD5: alee5246d984d900f27ce94fbfc37c2b 



MD5: 2118a70a2ccf0a7772725e765ad64e08 
MD5: f26848e64040b4b6614d95bd967045df 
MD5: 9c5997b32bea6945f0cb9ff0cl8cf040 
MD5: 353305483087a5316fd75f63d641eclf 
MD5: 34e67771ca411bl63866fle795b2e72e 
MD5: 571e04b5af915979efc5a7f77794facb 
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76 
MD5: e2137edd5f550bl942cl6e70095c436b 
MD5:97437f6d670db2596b6a6b53c887055c 

Such type of factual attribution based on gathered historical 
OSINT, isn't surprising, thanks to the fact that de¬ 
spite the increasing number of novice cybercriminals joining 
the ecosystem, the "usual suspects" continue operating for 
the sake of achieving their fraudulent and malicious 
objectives. 
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Updates will be posted as soon as new developments 
take place. 
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9. 
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Spamvertised Facebook 'You have friend 
suggestions, friend requests and photo tags' 
Themed Emails 





















Lead to Client-side Exploits and Malware (2013-09- 
28 13:53) 

A currently circulating malicious 'Facebook notifications" 
themed spam campaign, attempts to trick Facebook's users 

into thinking that they've received a notifications digest for 
the activity that (presumably) took place while they were 

logged out of Facebook. In reality though, once users click 
on any of the links found in the malicious email, they're 

automatically exposed to client-side exploits ultimately 
dropping malware on their hosts. 

Let's dissect the campaign, provide actionable intelligence 
on the campaign's structure, the involved portfolio 

of malicious domains, actual/related MD5s, and as always, 
connect the currently ongoing campaign with two other 

previously profiled malicious campaigns. 

Spamvertised URL: 

hxxp://user4634. vs.easily.co.uk/darkened/PSEU DO 
RANDOM CHARACTERS 

Attempts to load the following malicious scripts: 

hxxp://3d brandscapes.com/starker/manipulator.js 

hxxp://distrigold.eu/compounding/melisa.js 

hxxp://ly-ra.com/shallot/mandalay.js 

Client-side exploits serving URL: 



hxxp://d irectgrid.org/topic/lairtg-nilles-slliks.php 

Malicious domain name reconnaissance: 

directgrid.org - 50.116.10.71 - Email: 
ringfields(g>island research.net 

Responding to the following IP (50.116.10.71) are 
also the following malicious domains participating 
the 

campaign: 

directgrid.biz 
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directgrid.com 

directg rid. info 

directgrid.net 

directgrid.org 

directgrid.us 

gilkjones.com 

integra-inspection.ca 

integra-inspection.co 

integra-inspection.info 

taxipunjab.com 


taxisamritsar.com 



watttrack.com 


The following malicious MD5s are known to have 
been downloaded - related campaigns - from the 
same 

IP (50.116.10.71): 

MD5:7eb6740ed6935da49614d95a43146dea 

MD5: 7768f7039988236165cdd5879934cc5d 

The following malicious MD5s are known to have 
'phoned back' to the same IP (50.116.10.71) over 
the past 

24 hours: 

MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fel5b211956f67c66el8d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: 7ad68895e5ec9d4f53fc9958c70df01a 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: 3983170d46al30f23471340a47888c93 
MD5: C86c79d9fee925a690a4b0307d7f2329 
MD5: 25f498f7823fl2294c685e9bc79376d2 
MD5: 470f4aa3f76ea3b465741a73ce6c22fe 



MD5: 43b78852a7363d8a4cf7538d4e68c887 

MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 

MD5: e782619301a0a0a843cedc5d02c563b5 

MD5: fcl6335d0el827b271b031309634dc0f 

MD5: a55e21b0231d0508cb638892b6ee8ec5 

MD5: 053c84cl2900b81506eb884ec9f930c9 

MD5:e03d0dd786b038c570dc53690db0673b 

MD5: 086bl6af34857cb5dfb0163cclc92569 

MD5: e066b50bae491587574603bdfd60826e 

MD5: eb22137880f8c5a03c73135f288afb8a 

MD5: b88392fb63747668c982b6321e5ce712 

MD5: 6254d901bl566bef94e673f833adff8c 

MD5: 258d640b802a0bbe08471f4f064cb94a 

MD5: clcefb742107516c3a73489eael76745 

MD5: al9fld5c98c2d7f036f2693ad6cl4626 

MD5: 3f02f35bc73ad9efl4ab4f960926fd45 

Sample detection rate for the client-side exploits 
serving malicious script: 

[1]MD5: 00f5dl50fflb50c0bbcld038eb676c29 - 

detected by 2 out of 48 antivirus scanners as 
Script.Exploit.Kit.C; 



Troj/ObfJS-EO 
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Sample detection rate for the served exploit: 

[2] MD5: 

d49275523cae83a5e7639bb22604dd86 - detected by 5 
out of 48 antivirus scanners as 

HEUR:Exploit.Java.Generic; HEUR JAVA.EXEC; TROJ 
GEN.F47V0927 

Upon successful client-side exploitation the 
campaign drops the following malicious sample on 
the affected 

hosts: 

[3] MD5: 6ef9476e6227ef631b231b66d7a2a08b - 

detected by 7 out of 48 antivirus scanners as 
Win32/Spy.Zbot.AAU; 

Trojan-Spy.Win32.Zbot.qckm; TROJ GEN.F47V0927 

Once executed, the sample starts listening on ports 3185 
and 7101. 

It also creates the following Mutexes on the system: 

Local\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 

Local\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 

Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 


Local I {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
LocaW {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
G\oba\\ {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
GlobaW {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
GlobaW {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
GlobaW {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
G\oba\\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
GlobaW {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
GlobaW {3DC7903B-A05A-C62A-11EB-B06D3016937F } 
GlobaW {3DC7903B-A05A-C62A-75EA-B06D5417937F } 
GlobaW {3DC7903B-A05A-C62A-4DE9-B06D6C14937F } 
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GlobaW {3DC7903B-A05A-C62A-65E9-B06D4414937F } 
GlobaW {3DC7903B-A05A-C62A-89E9-B06DA814937F } 
GlobaW {3DC7903B-A05A-C62A-BDE9-B06D9C14937F } 
GlobaW {3DC7903B-A05A-C62A-51E8-B06D7015937F } 
GlobaW {3DC7903B-A05A-C62A-81E8-B06DA015937F } 
GlobaW {3DC7903B-A05A-C62A-FDE8-B06DDC15937F } 



Global\ {3DC7903B-A05A-C62A-0DEF-B06D2C12937F } 
Global\ {3DC7903B-A05A-C62A-5DEF-B06D7C12937F } 
Global\ {3DC7903B-A05A-C62A-95EE-B06DB413937F } 
Global\ {3DC7903B-A05A-C62A-F1EE-B06DD013937F } 
Global I {3DC7903B-A05A-C62A-89EB-B06DA816937F } 
Global\ {3DC7903B-A05A-C62A-F9EF-B06DD812937F } 
Global\ {3DC7903B-A05A-C62A-E5EF-B06DC412937F } 
Global\ {3DC7903B-A05A-C62A-0DEE-B06D2C13937F } 
Global\ {3DC7903B-A05A-C62A-09ED-B06D2810937F } 
Global\ {3DC7903B-A05A-C62A-51EF-B06D7012937F } 
Global\ {3DC7903B-A05A-C62A-35EC-B06D1411937F } 
Global\ {3DC7903B-A05A-C62A-55EF-B06D7412937F } 
Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 
MPS WabDa taAccessMutex 
MPS WABOIkStoreNotifyMutex 
The following Registry Keys: 

FI KEY _ CURRENT _ USER\Software\Microsoft\ Waosumag 
And changes the following Registry Values: 



[HKEY_CURRENT_USER\ldentities] -> Identity Login = 
0x00098053 

[HKEY _ CURRENT _ USER\Software I Microsoft I Windo i/i/s 
textbacksiashCurrentVersion\Run] -> Keby = "" %AppData 

% I Ortuet\keby. exe"" 

[HKEY CURRENT_USER\Software\Microsoft\Waosumag ] -> 
2df3e6ig = 23 CD 87 C3 IE D1 FA C6 28 2E DF 4D 12 21; 

2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 
CD C6 05 2E EF 4D 

It then phones back to the following C &C (command 
and control) servers: 

99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35.75.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 

108.240.232.212 

107.193.222.108 

173.202.183.58 


201.170.83.92 



81.136.188.57 


71.186.174.184 

We've already seen the same IPs (217.35.75.232; 
108.240.232.212) in the following previously profiled mali¬ 
cious campaign - [4]Spamvertised "FDIC: Your business 
account" themed emails serve client-side exploits 
and 
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malware. 

We've also seen (107.193.222.108) in the following 
malicious campaign - [5]Spamvertised 'Export 
License/Invoice 

Copy' themed emails lead to malware, indicating that 
all of these campaigns are controlled using the same 
malicious 

botnet infrastructure. 

The following malicious MD5s are also known to 
have phoned back to the same C &C servers used in 
this 

campaign, over the past 24 hours: 

MD5: 9f550edbb505e22b0203e766bdlb9982 
MD5:46cdaead83d9e3de803125e45ca88894 
MD5: ffe07e0997d8ec82feb81bac53838d6d 


MD5:28c0bc772aec891a08b06a4029230626 



MD5: c8055c6668dlc4c9cb9d68c2c09cl4d4 


MD5: 0bbabb722el327cbe903ab477716ae2e 
MD5: C4c5db70e7c971e3e556eb9d65f87c84 
MD5: 0ff4d450ce9bleaaef5ed9a5alfa392d 
MD5: e01f435a8c5ed93f6800971505a2cdd2 
MD5: 042508083351 b79f01a4d7b7e8e35826 
MD5: If5f75ae82d6aa7099315bfl9d0ae4e0 
MD5:35c4d4c2031157645bb3ale4e709edeb 
MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fel5b211956f67c66el8d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: lfab971283479b017dfb79857ecd343b 
MD5: al30cddd61dad9188b9b89451a58af28 
MD5: 2af94e79f9b9ee26032ca863a86843be 
MD5: 8b03a5cf4fl49ac7696dl08bff586cc5 
MD5: 802a522405076d7f8b944b781e4fel33 
MD5: b9c7d2466a689365ebb8f6f607cd3368 
MD5: 43b78852a7363d8a4cf7538d4e68c887 


MD5: C62b6206e9eefe75bal804788dc552f7 



MD5: 385b5358f6alfl5706b536a9dc5bl590 


MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 

MD5: e782619301a0a0a843cedc5d02c563b5 

MD5: fcl6335d0el827b271b031309634dc0f 

MD5: 4850969b7febc82c8b82296fal29e818 

MD5: 203e0acced8a76560312b452d70ffle7 

MD5:a55e21b0231d0508cb638892b6ee8ec5 

MD5: edbla26ebb8ab5df780b643adlf0d50f 

MD5: 053c84cl2900b81506eb884ec9f930c9 

MD5: e03d0dd786b038c570dc53690db0673b 

MD5: 47d4804fda31b6f88b0d33b86fc681ae 

MD5: 086bl6af34857cb5dfb0163cclc92569 

This post has been reproduced from [6]Dancho 
Danchev's blog . Follow him [7]on Twitter. 

1 . 

https://www.virustotal.com/8n/file/95d3cfd6clf094871f311 

593c73726700alfcc7alf5cfl3ced 1317c04054587 3/anal vs 

is/1380362621/ 

2 . 

https://www.virustotal.com/en/file/bd7cQf52fd7d7e9b20ab9 

e8fl3acll4243a4fQ9433f484f8fbc3b51c7c44650d/anal vs 


923 








3. 

https://www.virustotal.com/en/file/8b0eQb269a2e332bae75 

6304c07f392789flc0215c2b23d52ccl3fblae49f076/anal vs 

is/1380320726/ 

4. http://www.webroot.com/blo a /2013/Q9/23/spamvertised- 
fdic-business-account-themed-emails-server-client-sid 


e-exploits-malware/ 

5. http://www.webroot.com/blo a /2Q13/07/Q9/spamvertised- 
export-licensemvoice-co p y-themed-emails-lead-to-malw 

are/ 

6. http://ddanchev.blo as pot.com/ 

7. http://twitter.com/danchodanchev 
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Spamvertised Facebook 'You have friend 
suggestions, friend requests and photo tags' 
Themed Emails 

Lead to Client-side Exploits and Malware (2013-09- 
28 13:53) 

A currently circulating malicious 'Facebook notifications" 
themed spam campaign, attempts to trick Facebook's users 

into thinking that they've received a notifications digest for 
the activity that (presumably) took place while they were 




















logged out of Facebook. In reality though, once users click 
on any of the links found in the malicious email, they're 

automatically exposed to client-side exploits ultimately 
dropping malware on their hosts. 

Let's dissect the campaign, provide actionable intelligence 
on the campaign's structure, the involved portfolio 

of malicious domains, actual/related MD5s, and as always, 
connect the currently ongoing campaign with two other 

previously profiled malicious campaigns. 

Spamvertised URL: 

hxxp://user4634. vs. easily.co.uk/darkened/PSEU DO 
RANDOM CHARACTERS 

Attempts to load the following malicious scripts: 

hxxp://3d brandscapes.com/starker/manipulator.js 

hxxp://distrigold.eu/compounding/melisa.js 

hxxp://ly-ra.com/shallot/mandalay.js 

Client-side exploits serving URL: 

hxxp://d irectgrid.org/topic/lairtg-nilles-slliks.php 

Malicious domain name reconnaissance: 

directgrid.org - 50.116.10.71 - Email: 
ri ngfields@islandresearch.net 

Responding to the following IP (50.116.10.71) are 
also the following malicious domains participating in 



the 


campaign: 

directgrid.biz 
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directgrid.com 

directg rid. info 

directgrid.net 

directgrid.org 

directgrid.us 

gilkjones.com 

integra-inspection.ca 

integra-inspection.co 

integra-inspection.info 

taxipunjab.com 

taxisamritsar.com 

watttrack.com 

The following malicious MD5s are known to have 
been downloaded - related campaigns - from the 
same 

IP (50.116.10.71): 

MD5:7eb6740ed6935da49614d95a43146dea 



MD5: 7768f7039988236165cdd5879934cc5d 

The following malicious MD5s are known to have 
'phoned back' to the same IP (50.116.10.71) over 
the past 

24 hours: 

MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fel5b211956f67c66el8d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: 7ad68895e5ec9d4f53fc9958c70df01a 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: 3983170d46al30f23471340a47888c93 
MD5: C86c79d9fee925a690a4b0307d7f2329 
MD5: 25f498f7823fl2294c685e9bc79376d2 
MD5: 470f4aa3f76ea3b465741a73ce6c22fe 
MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fcl6335d0el827b271b031309634dc0f 
MD5: a55e21b0231d0508cb638892b6ee8ec5 
MD5: 053c84cl2900b81506eb884ec9f930c9 



MD5: e03d0dd786b038c570dc53690db0673b 

MD5: 086bl6af34857cb5dfb0163cclc92569 

MD5: e066b50bae491587574603bdfd60826e 

MD5: eb22137880f8c5a03c73135f288afb8a 

MD5: b88392fb63747668c982b6321e5ce712 

MD5: 6254d901bl566bef94e673f833adff8c 

MD5: 258d640b802a0bbe08471f4f064cb94a 

MD5: clcefb742107516c3a73489eael76745 

MD5: al9fld5c98c2d7f036f2693ad6cl4626 

MD5: 3f02f35bc73ad9efl4ab4f960926fd45 

Sample detection rate for the client-side exploits 
serving malicious script: 

[1] MD5: 00f5dl50fflb50c0bbcld038eb676c29 - 

detected by 2 out of 48 antivirus scanners as 
Script.Exploit.Kit.C; 

Troj/ObfJS-EO 
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Sample detection rate for the served exploit: 

[2] MD5: 

d49275523cae83a5e7639bb22604dd86- detected by 5 
out of 48 antivirus scanners as 


HEUR:Exploit.Java.Generic; HEUR JAVA.EXEC; TROJ 
GEN.F47V0927 

Upon successful client-side exploitation the 
campaign drops the following malicious sample on 
the affected 

hosts: 

[3]MD5: 6ef9476e6227ef631b231b66d7a2a08b - 

detected by 7 out of 48 antivirus scanners as 
Win32/Spy.Zbot.AAU; 

Trojan-Spy.Win32.Zbot.qckm; TROJ GEN.F47V0927 

Once executed, the sample starts listening on ports 3185 
and 7101. 

It also creates the following Mutexes on the system: 

Local\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
LocaW {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 

LocaW {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
LocaW {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
LocaW {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
GlobaW {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
GlobaW {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
GlobaW {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 



Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
GlobaW {3DC7903B-A05A-C62A-11EB-B06D3016937F } 
GlobaW {3DC7903B-A05A-C62A-75EA-B06D5417937F } 
GlobaW {3DC7903B-A05A-C62A-4DE9-B06D6C14937F } 
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Global\ {3DC7903B-A05A-C62A-65E9-B06D4414937F } 
GlobaW {3DC7903B-A05A-C62A-89E9-B06DA814937F } 
GlobaW {3DC7903B-A05A-C62A-BDE9-B06D9C14937F } 
GlobaW {3DC7903B-A05A-C62A-51E8-B06D7015937F } 
GlobaW {3DC7903B-A05A-C62A-81E8-B06DA015937F } 
GlobaW {3DC7903B-A05A-C62A-FDE8-B06DDC15937F } 
GlobaW {3DC7903B-A05A-C62A-0DEF-B06D2C12937F } 
GlobaW {3DC7903B-A05A-C62A-5DEF-B06D7C12937F } 
GlobaW {3DC7903B-A05A-C62A-95EE-B06DB413937F } 
GlobaW {3DC7903B-A05A-C62A-F1EE-B06DD013937F } 
GlobaW {3DC7903B-A05A-C62A-89EB-B06DA816937F } 
GlobaW {3DC7903B-A05A-C62A-F9EF-B06DD812937F } 



Global\ {3 DC7903B-A05A-C62A-E5EF-B06DC412937F } 

Global\ {3DC7903B-A05A-C62A-0DEE-B06D2C13937F } 

Global\ {3DC7903B-A05A-C62A-09ED-B06D2810937F } 

Global\ {3DC7903B-A05A-C62A-51EF-B06D7012937F } 

Global\ {3DC7903B-A05A-C62A-35EC-B06D1411937F } 

Global\ {3DC7903B-A05A-C62A-55EF-B06D7412937F } 

Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 

Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 

MPS WabDa taAccessMutex 

MPS WABOIkStoreNotifyMutex 

The following Registry Keys: 

HKEY _ CURRENT _ USER\Software\Microsoft\ Waosumag 

And changes the following Registry Values: 

[HKEY CURRENT_USER\ldentities] -> Identity Login = 
0x00098053 

[HKEY _ CURRENT _ USER\Software I Microsoft I Windo i/i/s 
textbacksiashCurrentVersion\Run] -> Keby = "" %AppData 

% I Ortuet\keby. exe"" 

[HKEY_CURRENT_USER\Software\Microsoft\Waosumag ] -> 
2df3e6ig = 23 CD 87 C3 IE D1 FA C6 28 2E DF 4D 12 21; 



2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 
CD C6 05 2E EF 4D 

It then phones back to the following C &C (command 
and control) servers: 

99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35.75.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 

108.240.232.212 

107.193.222.108 

173.202.183.58 

201.170.83.92 

81.136.188.57 

71.186.174.184 

We've already seen the same IPs (217.35.75.232; 
108.240.232.212) in the following previously profiled mali¬ 
cious campaign - [4]Spamvertised "FDIC: Your business 
account" themed emails serve client-side exploits 
and 
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malware. 

We've also seen (107.193.222.108) in the following 
malicious campaign - [5]Spamvertised 'Export 
License/Invoice 

Copy' themed emails lead to malware, indicating that 
all of these campaigns are controlled using the same 
malicious 

botnet infrastructure. 

The following malicious MD5s are also known to 
have phoned back to the same C &C servers used in 
this 

campaign, over the past 24 hours: 

MD5: 9f550edbb505e22b0203e766bdlb9982 
MD5:46cdaead83d9e3de803125e45ca88894 
MD5: ffe07e0997d8ec82feb81bac53838d6d 
MD5: 28c0bc772aec891a08b06a4029230626 
MD5: c8055c6668dlc4c9cb9d68c2c09cl4d4 
MD5: 0bbabb722el327cbe903ab477716ae2e 
MD5: C4c5db70e7c971e3e556eb9d65f87c84 
MD5: 0ff4d450ce9bleaaef5ed9a5alfa392d 
MD5: e01f435a8c5ed93f6800971505a2cdd2 



MD5: 042508083351 b79f01a4d7b7e8e35826 


MD5: If5f75ae82d6aa7099315bfl9d0ae4e0 
MD5:35c4d4c2031157645bb3ale4e709edeb 
MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fel5b211956f67c66el8d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: lfab971283479b017dfb79857ecd343b 
MD5: al30cddd61dad9188b9b89451a58af28 
MD5: 2af94e79f9b9ee26032ca863a86843be 
MD5: 8b03a5cf4fl49ac7696dl08bff586cc5 
MD5: 802a522405076d7f8b944b781e4fel33 
MD5: b9c7d2466a689365ebb8f6f607cd3368 
MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: C62b6206e9eefe75bal804788dc552f7 
MD5: 385b5358f6alfl5706b536a9dc5bl590 
MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fcl6335d0el827b271b031309634dc0f 


MD5: 4850969b7febc82c8b82296fal29e818 



MD5: 203e0acced8a76560312b452d70ffle7 

MD5:a55e21b0231d0508cb638892b6ee8ec5 

MD5: edbla26ebb8ab5df780b643adlf0d50f 

MD5: 053c84cl2900b81506eb884ec9f930c9 

MD5: e03d0dd786b038c570dc53690db0673b 

MD5: 47d4804fda31b6f88b0d33b86fc681ae 

MD5: 086bl6af34857cb5dfb0163cclc92569 

Updates will be posted as soon as new developments take 
place. 

1 . 

https://www.virustotal.com/en/file/95d3cfd6clf094871f311 

593c737267Q0alfcc7alf5cfl3cedl317c04Q545873/anal vs 

is/1380362621/ 
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https://www.virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9 

e8fl3acll4243a4f09433f484f8fbc3b51c7c44650d/anal vs 

Is L 

3. 

https://www.virustotal.com/en/file/8b0e0b269a2e332bae75 

6304c07f392789flc0215c2b23d52ccl3fblae49f076/anal vs 


is/1380320726/ 










4. http://www.webroot.com/blo a /2Q13/Q9/23/spamvertised- 
fdic-business-account-themed-emails-server-client-sid 


e-exploits-malware/ 

5. http://www.webroot.com/blo a /2Q13/Q7/Q9/spamvertised- 
export-licenseinvoice-co p v-themed-emails-lead-to-malw 

are/ 
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Fake Pinterest 'Don't forget to confirm your email!' 
Themed Emails Serve Client-side Exploits and Mal¬ 
ware (2013-10-01 21:12) 

Cybercriminals have just launched yet another massive 
spam campaign, this time attempting to trick Pinterest users 

into thinking that they've received an email confirmation 
request. In reality though, once users click on the links 

found in the malicious emails, they're automatically 
exposed to client-side exploits, with the campaign dropping 
two 

malware samples on the affected hosts once a successful 
client-side exploitation takes place. 

Let's dissect the campaign, expose the malicious portfolio of 
domains involved in it, provide MD5s of the served 














malware as well as a sample exploit, and provide actionable 
(historical) intelligence regarding related malicious 

activities that have been taking place using same 
infrastructure that's involved in the Pinterest campaign. 

Spamvertised malicious URL: 

boxenteam. com/hatha way/index. html?emailmpss/P5EUDO 
_ RANDOM _ CHARACTERS 

Attempts to load the following malicious scripts: 

theodoxos.gr/hairstyles/defiling.js 

web29. webboxl 1.server-home, org/volleyballs/cloture.js 

knopfios-combo.de/subdued/opposition.js 

Sample client-side exploits serving URL: 

pizzapluswindsor.ca/topic/latest-blog-news.php 

Malicious domain name reconnaissance: 

pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145 
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Responding to the same IP (50.116.6.57) are also 
the following malicious domains part of the 
campaing's infrastructure: 

pizzapluswindsor.ca 

plainidea.com 

procreature.com 



poindextersonpatrol.com 

pixieglitztutus.com 

Known to have responded to the second IP 
(174.140.169.145) are also the following malicious 
domains: 

lesperancerenovations.com 

louievozza.com 

louvozza.com 

lv-contracting.com 

lvconcordecontracting.com 

mcbelectrical.ca 

oliviagurun.com 

onecable.ca 

onlyidea.com 

originalpizzaplus.ca 

originalpizzaplus.com 

papak.ca 

pccreature.com 

pixieglitztutus.com 

pizzapluswindsor.ca 

saltlakecityutahcommercialrealestate.com 



The following malicious MD5s are known to have 
phoned back to the same IP on the 22nd of 
September, 

2013: 

MD5: 5dl4ee5800fc3c73e4d40567044c4149 
MD5: bdc2ac48921914f25dla3al64266cebc 
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07 
MD5:31c3eae608247c2901d64643d5626blf 
MD5: 3cff9bba085254f2a524207al388b015 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: 94e7cf26589baacld47d6834e6375a62 
MD5: 38461 b4537fb269b2142e7fbacl6375b 
MD5: 041e9ccce8809371b07f0aclc4d02b33 
MD5: 868cf2c7af8863aebbaeb42clb404b36 
MD5: 7ec71f392dfc98336808ca6e31f25969 
MD5: 6792b758ea961f58ad5b2fleb96a648a 
MD5: 33550cef428cad48ba776eal09fel936 
MD5: af84138bc55192ce722582def2f05200 



MD5: 170524f3457dlfa681cc5dafbcc86199 


MD5: e3af059e42b82b8658f3d05043a5a213 
MD5: 4724783ae2c928b40dd2c0ac6d85cbc4 
MD5: 9b8d87230ee7f553e8a9011a37ca699e 
MD5: e4d63169ddac5e34fe000dc21c88682f 
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MD5: 5f777af07c79369310dff97d04c026cd 

MD5: 200badc2e35ce57fle511aea7322e207 

MD5: 93fel70f26d99aea52b30b74afdf96bc 

MD5: d06a0cc046e99496ada5591d9f457fcl 

MD5: 6f857be5377a7543858aacefea6fla30 

MD5: 92ed463b3c38f2c951c3acd78e7a2df3 

MD5: 8f01cd5ddd6e599e79ddcefbff9c0891 

Detection rate for a sample served exploit from the 
Pinterest themed campaign: 

[1]MD5: 

d49275523cae83a5e7639bb22604dd86 - detected by 5 
out of 48 antivirus scanners as 

HEUR: Exploit Java.CVE-2012-1723.gen 

Upon successful client-side exploitation, the campaign 
drops two malware samples on the affected hosts. 



Detection rate for the first dropped sample: 

[2]MD5: 


ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 
out of 48 antivirus scanners as 

UDS:DangerousObject. Multi.Generic 

Once executed, it phones back to the following C &C: 

78.140.131.151/uploa ding/id=RE DA CTED &u=PSEUDO 
_ RANDOM _ CHARACTERS 

The following malicious MD5s are also known to 
have phoned back to the following C &C IP 
(78.140.131.151) in 

the past: 

MD5: ca783e0964e7dcb91fcc2a2ff4b8058f 
MD5: d02b0e60f94d718fcal9893fl3dbd93e 
MD5: 3618032d05cl2e6d25aa4b7bc9086e06 
MD5: 20777b8e6362f8775060fc4fdbl91978 
MD5: 5alfb639f5dd97b62b5cf79c84d479f6 
MD5: 30f8d972566930cl03f9edb7f9bd699e 
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a 
MD5: bbb57fla5004b6adc016c0c9e92addl9 
MD5: Cca6b7fae6678c4bl7f21b2ed4580404 



MD5: 0decc3f58519c587949dff871fccba5e 


MD5: Ibl8f9138adbd6b4bf7125c7e6a97aae 
MD5: Ie4451cl9f07ef6bde87ffbcecc5afb3 
MD5: e92297e402fcd03f06c94fe52985a3e9 
MD5: 818e329757630bccc9536151f533fad2 
MD5: 79e8677f857531118e61fa9238287acb 
MD5: de8ef966e7e5251b642540e715d673a6 
MD5: 9be83dc4b829ffba26029bl73b36237d 
MD5: C9b3f7888faa393eel4815494a311684 
MD5: d90058b75b8730f9d6bf94a845b3dfda 
MD5: el4b4290eec92ce6cd3e0349cl7bc062 
MD5: 6d5f5419f6all6f4283ae58516ff90al 
MD5: d0587b6e83a70798077e2938af66c50c 
MD5: 12449febf7efed7bceade5720c8f635d 
MD5: 992fc7370b39553ebcb3c03c23cl5517 
MD5: Icl98a6b80bldcf280db30133c26d479 
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6 
MD5: Ia3679c0c7c42781d9ee5b6987efa726 
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MD5: 7d21915fc425b3545c8el56116f91e00 



Detection rate for the second dropped sample: 

[3]MD5: 

83bbe52c8584a5dab07allecc5aaf090 - detected by 3 
out of 48 antivirus scanners as Trojan- 

Spy. Win32.Zbot.qgje; Trojan. Backdoor. RV 

Once executed it starts listening on ports 7867 and 1653. 

The sample then creates the following Mutexes on 
the affected hosts: 

Local\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
Global\ {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 



Global\ {EFF344E9-7488-141E-11EB-B06D3016937F } 
Global\ {EFF344E9-7488-141E-75EA-B06D5417937F } 
Global\ {EFF344E9-7488-141E-4DE9-B06D6C14937F } 
Global\ {EFF344E9-7488-141E-65E9-B06D4414937F } 
Global\ {EFF344E9-7488-141E-89E9-B06DA814937F } 
Global\ {EFF344E9-7488-141E-BDE9-B06D9C14937F } 
Global\ {EFF344E9-7488-141E-51E8-B06D7015937F } 
Global\ {EFF344E9-7488-141E-81E8-B06DA015937F } 
Global\ {EFF344E9-7488-141E-FDE8-B06DDC15937F } 
Global\ {EFF344E9-7488-141E-0DEF-B06D2C12937F } 
Global\ {EFF344E9-7488-141E-5DEF-B06D7C12937F } 
Global\ {EFF344E9-7488-141E-95EE-B06DB413937F } 
Global\ {EFF344E9-7488-141E-F1EE-B06DD013937F } 
Global\ {EFF344E9-7488-141E-89EB-B06DA816937F } 
Global\ {EFF344E9-7488-141E-F9EF-B06DD812937F } 
Global\ {EFF344E9-7488-141E-E5EF-B06DC412937F } 
Global\ {EFF344E9-7488-141E-0DEE-B06D2C13937F } 
Global\ {EFF344E9-7488-141E-09ED-B06D2810937F } 
Global\ {EFF344E9-7488-141E-51EF-B06D7012937F } 
Global\ {EFF344E9-7488-141E-35EC-B06D1411937F } 



Global\ {EFF344E9-7488-141E-55EF-B06D7412937F } 

Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 

Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 

MPSWabDataAccessMutex 

MPSWABOIkStoreNotifyMutex 

Once 

executed, 

it 

also 

drops 

MD5: 

2da7bbc5677313c2876b571b39edc7cf 

and 

MD5: 

83bbe52c8584a5dab07allecc5aaf090 on the affected 
hosts. 
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It then phones back to the following C &C (command 
and control servers): 

99.157.164.179 


174.76.94.24 



99.60.68.114 


217.35.75.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 

108.240.232.212 

107.193.222.108 

We've already seen (some of) these C &C IPs in the following 
profiled malicious campaign "[4]Spamvertised 

Facebook 'You have friend suggestions, friend 
requests and photo tags' Themed Emails Lead to 
Client-side Exploits 

and Malware". 

This post has been reproduced from [5]Dancho 
Danchev's blog . Follow him [6]on Twitter. 

1 . 

https://www.virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9 

e8fl3acll4243a4f09433f484f8fbc3b51c7c44650d/anal vs 

is/1380650108/ 

2 . 

https://www.virustotal.com/en/file/2dbc3ad0626cbb577ec3 

19 b7a62 b07 b6899ffa74ad98309a639062 3f2cd9cdd 2/anal v 

s 

is/1380650448/ 








3. 

https://www.vi rustotal.com/en/file/db9345188d8b913b7abd 

5ea998f67fb7d4fb7aa054e48c52641e795d9b3c7e28/anal v 

s 

is/1380650677/ 

4. http://ddanchev.blo as pot.com/2Q13/Q9/spamvertised- 
facebook-vou-have-friend.html 

5. http://ddanchev.blo as pot.com/ 

6. http://twitter.com/danchodanchev 
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Fake Pinterest 'Don't forget to confirm your email!' 
Themed Emails Serve Client-side Exploits and Mal¬ 
ware (2013-10-01 21:12) 

Cybercriminals have just launched yet another massive 
spam campaign, this time attempting to trick Pinterest users 

into thinking that they've received an email confirmation 
request. In reality though, once users click on the links 

found in the malicious emails, they're automatically 
exposed to client-side exploits, with the campaign dropping 
two 

malware samples on the affected hosts once a successful 
client-side exploitation takes place. 

Let's dissect the campaign, expose the malicious portfolio of 
domains involved in it, provide MD5s of the served 













malware as well as a sample exploit, and provide actionable 
(historical) intelligence regarding related malicious 

activities that have been taking place using same 
infrastructure that's involved in the Pinterest campaign. 

Spamvertised malicious URL: 

boxenteam. com/hatha way/index. html?emailmpss/P5EUDO 
_ RANDOM _ CHARACTERS 

Attempts to load the following malicious scripts: 

theodoxos.gr/hairstyles/defiling.js 

web29. webboxl 1.server-home, org/volleyballs/cloture.js 

knopfios-combo.de/subdued/opposition.js 

Sample client-side exploits serving URL: 

pizzapluswindsor.ca/topic/latest-blog-news.php 

Malicious domain name reconnaissance: 

pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145 
937 

Responding to the same IP (50.116.6.57) are also 
the following malicious domains part of the 
campaing's infrastructure: 

pizzapluswindsor.ca 

plainidea.com 

procreature.com 



poindextersonpatrol.com 

pixieglitztutus.com 

Known to have responded to the second IP 
(174.140.169.145) are also the following malicious 
domains: 

lesperancerenovations.com 

louievozza.com 

louvozza.com 

lv-contracting.com 

lvconcordecontracting.com 

mcbelectrical.ca 

oliviagurun.com 

onecable.ca 

onlyidea.com 

originalpizzaplus.ca 

originalpizzaplus.com 

papak.ca 

pccreature.com 

pixieglitztutus.com 

pizzapluswindsor.ca 

saltlakecityutahcommercialrealestate.com 



The following malicious MD5s are known to have 
phoned back to the same IP on the 22nd of 
September, 

2013: 

MD5: 5dl4ee5800fc3c73e4d40567044c4149 
MD5: bdc2ac48921914f25dla3al64266cebc 
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07 
MD5:31c3eae608247c2901d64643d5626blf 
MD5: 3cff9bba085254f2a524207al388b015 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: 94e7cf26589baacld47d6834e6375a62 
MD5: 38461 b4537fb269b2142e7fbacl6375b 
MD5: 041e9ccce8809371b07f0aclc4d02b33 
MD5: 868cf2c7af8863aebbaeb42clb404b36 
MD5: 7ec71f392dfc98336808ca6e31f25969 
MD5: 6792b758ea961f58ad5b2fleb96a648a 
MD5: 33550cef428cad48ba776eal09fel936 
MD5: af84138bc55192ce722582def2f05200 



MD5: 170524f3457dlfa681cc5dafbcc86199 


MD5: e3af059e42b82b8658f3d05043a5a213 
MD5: 4724783ae2c928b40dd2c0ac6d85cbc4 
MD5: 9b8d87230ee7f553e8a9011a37ca699e 
MD5: e4d63169ddac5e34fe000dc21c88682f 
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MD5: 5f777af07c79369310dff97d04c026cd 

MD5: 200badc2e35ce57fle511aea7322e207 

MD5: 93fel70f26d99aea52b30b74afdf96bc 

MD5: d06a0cc046e99496ada5591d9f457fcl 

MD5: 6f857be5377a7543858aacefea6fla30 

MD5: 92ed463b3c38f2c951c3acd78e7a2df3 

MD5: 8f01cd5ddd6e599e79ddcefbff9c0891 

Detection rate for a sample served exploit from the 
Pinterest themed campaign: 

[1]MD5: 

d49275523cae83a5e7639bb22604dd86 - detected by 5 
out of 48 antivirus scanners as 

HEUR: Exploit Java.CVE-2012-1723.gen 

Upon successful client-side exploitation, the campaign 
drops two malware samples on the affected hosts. 



Detection rate for the first dropped sample: 

[2]MD5: 


ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 
out of 48 antivirus scanners as 

UDS:DangerousObject. Multi.Generic 

Once executed, it phones back to the following C &C: 

78.140.131.151/uploa ding/id=RE DA CTED &u=PSEUDO 
_ RANDOM _ CHARACTERS 

The following malicious MD5s are also known to 
have phoned back to the following C &C IP 
(78.140.131.151) in 

the past: 

MD5: ca783e0964e7dcb91fcc2a2ff4b8058f 
MD5: d02b0e60f94d718fcal9893fl3dbd93e 
MD5: 3618032d05cl2e6d25aa4b7bc9086e06 
MD5: 20777b8e6362f8775060fc4fdbl91978 
MD5: 5alfb639f5dd97b62b5cf79c84d479f6 
MD5: 30f8d972566930cl03f9edb7f9bd699e 
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a 
MD5: bbb57fla5004b6adc016c0c9e92addl9 
MD5: Cca6b7fae6678c4bl7f21b2ed4580404 



MD5: 0decc3f58519c587949dff871fccba5e 


MD5: Ibl8f9138adbd6b4bf7125c7e6a97aae 
MD5: Ie4451cl9f07ef6bde87ffbcecc5afb3 
MD5: e92297e402fcd03f06c94fe52985a3e9 
MD5: 818e329757630bccc9536151f533fad2 
MD5: 79e8677f857531118e61fa9238287acb 
MD5: de8ef966e7e5251b642540e715d673a6 
MD5: 9be83dc4b829ffba26029bl73b36237d 
MD5: C9b3f7888faa393eel4815494a311684 
MD5: d90058b75b8730f9d6bf94a845b3dfda 
MD5: el4b4290eec92ce6cd3e0349cl7bc062 
MD5: 6d5f5419f6all6f4283ae58516ff90al 
MD5: d0587b6e83a70798077e2938af66c50c 
MD5: 12449febf7efed7bceade5720c8f635d 
MD5: 992fc7370b39553ebcb3c03c23cl5517 
MD5: Icl98a6b80bldcf280db30133c26d479 
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6 
MD5: Ia3679c0c7c42781d9ee5b6987efa726 
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MD5: 7d21915fc425b3545c8el56116f91e00 



Detection rate for the second dropped sample: 

[3]MD5: 

83bbe52c8584a5dab07allecc5aaf090 - detected by 3 
out of 48 antivirus scanners as Trojan- 

Spy. Win32.Zbot.qgje; Trojan. Backdoor. RV 

Once executed it starts listening on ports 7867 and 1653. 

The sample then creates the following Mutexes on 
the affected hosts: 

Local\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
Global\ {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 



Global\ {EFF344E9-7488-141E-11EB-B06D3016937F } 
Global\ {EFF344E9-7488-141E-75EA-B06D5417937F } 
Global\ {EFF344E9-7488-141E-4DE9-B06D6C14937F } 
Global\ {EFF344E9-7488-141E-65E9-B06D4414937F } 
Global\ {EFF344E9-7488-141E-89E9-B06DA814937F } 
Global\ {EFF344E9-7488-141E-BDE9-B06D9C14937F } 
Global\ {EFF344E9-7488-141E-51E8-B06D7015937F } 
Global\ {EFF344E9-7488-141E-81E8-B06DA015937F } 
Global\ {EFF344E9-7488-141E-FDE8-B06DDC15937F } 
Global\ {EFF344E9-7488-141E-0DEF-B06D2C12937F } 
Global\ {EFF344E9-7488-141E-5DEF-B06D7C12937F } 
Global\ {EFF344E9-7488-141E-95EE-B06DB413937F } 
Global\ {EFF344E9-7488-141E-F1EE-B06DD013937F } 
Global\ {EFF344E9-7488-141E-89EB-B06DA816937F } 
Global\ {EFF344E9-7488-141E-F9EF-B06DD812937F } 
Global\ {EFF344E9-7488-141E-E5EF-B06DC412937F } 
Global\ {EFF344E9-7488-141E-0DEE-B06D2C13937F } 
Global\ {EFF344E9-7488-141E-09ED-B06D2810937F } 
Global\ {EFF344E9-7488-141E-51EF-B06D7012937F } 
Global\ {EFF344E9-7488-141E-35EC-B06D1411937F } 



Global\ {EFF344E9-7488-141E-55EF-B06D7412937F } 

Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 

Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 

MPSWabDataAccessMutex 

MPSWABOIkStoreNotifyMutex 

Once 

executed, 

it 

also 

drops 

MD5: 

2da7bbc5677313c2876b571b39edc7cf 

and 

MD5: 

83bbe52c8584a5dab07allecc5aaf090 on the affected 
hosts. 
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It then phones back to the following C &C (command 
and control servers): 

99.157.164.179 


174.76.94.24 



99.60.68.114 


217.35.75.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 

108.240.232.212 

107.193.222.108 

We've already seen (some of) these C &C IPs in the following 
profiled malicious campaign "[4]Spamvertised 

Facebook 'You have friend suggestions, friend 
requests and photo tags' Themed Emails Lead to 
Client-side Exploits 

and Malware". 

Updates will be posted as soon as new developments 
take place. 

1 . 

https://www.virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9 

e8fl3acll4243a4f09433f484f8fbc3b51c7c44650d/anal vs 

is/1380650108/ 

2 . 

https://www.virustotal.com/en/file/2dbc3ad0626cbb577ec3 

19 b7a62 b07 b6899ffa74ad98309a639062 3f2cd9cdd 2/anal v 

s 

is/1380650448/ 








3. 

https://www.vi rustotal.com/en/file/db9345188d8b913b7abd 

5ea998f67fb7d4fb7aa054e48c52641e795d9b3c7e28/anal v 

s 

is/1380650677/ 

4. http://ddanchev.blo as pot.com/2Q13/Q9/spamvertised- 
facebook-vou-have-friend.html 
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Summarizing Webroot's Threat Blog Posts for 
September (2013-10-02 16:10) 

The following is a brief summary of all of my posts at 
[lJWebroot's Threat Blog for September, 2013. You can 

subscribe to [2]Webroot's Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]DIY malicious Android APK generating 'sensitive 
information stealer' spotted in the wild 

02. [4]Scammers pop up in Android's Calendar App 

03. [5]Web-based DNS amplification DDoS attack mode 
supporting PHP script spotted in the wild 

04. [6]Managed Malicious Java Applets Hosting Service 
Spotted in the Wild 

05. [7JAffiliate network for mobile malware impersonates 
Google Play, tricks users into installing premium-rate SMS 










sending rogue apps 


06. [8]419 advance fee fraudsters abuse CNN's 'Email This' 
Feature, spread Syrian Crisis themed scams 

07. [9]Cybercriminals offer anonymous mobile numbers for 
'SMS activation', video tape the destruction of the SIM 

card on request 
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08. [10]Yet another 'malware-infected hosts as 
anonymization stepping stones' service offering access to 
hundreds of compromised hosts spotted in the wild 

09. [ll]Cybercriminals experiment with 
'Socks4/Socks5/HTTP' malware-infected hosts based DIY 
DoS tool 

10. [12]Cybercriminals sell access to tens of thousands of 
malware-infected Russian hosts 

11. [13]Spamvertised "FDIC: Your business account" 
themed emails serve client-side exploits and malware 

12. [14]Cybercriminals experiment with Android 
compatible, Python-based SQL injecting releases 

13. [15]Newly launched E-shop offers access to hundreds of 
thousands of compromised accounts 

14. [16]DIY commercial CAPTCHA-solving automatic email 
account registration tool available on the underground 


market since 2008 



15. [ 17]Yet another subscription-based stealth Bitcoin 
mining tool spotted in the wild 

This post has been reproduced from [18]Dancho 
Danchev's blog . Follow him [19]on Twitter. 

1. http://www.webroot.com/blo a 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://www.webroot.com/blo a /2Q13/Q9/06/div-malicious- 
android-apk- a eneratin g -sensitive-informati on-stealer 

-s potted-wild/ 

4. http://www.webroot.com/blo a /2Q13/Q9/Q9/scammers- POP- 
androids-calendar-a pp/ 

5. http://www.webroot.com/blo a /2Q13/Q9/lQ/web-based- 
dns-amplification-ddos-attack-mode-su p portin a-ph p-scri pt 

-s potted-wild/ 

6. http://www.webroot.com/blo a /2Q13/Q9/ll/mana a ed- 
malicious- i ava-a p plets-hostin a -service-spotted-wild/ 

7. http://www.webroot.com/blo a /2Q13/Q9/18/affiliate- 
network-mobne-malware- im personates- a oo a le-plav-tricks-u 

sers-installin a- premium-rate-sms-sendin a -ro a ue-a pps/ 

8 . 

http://www.webroot.com/blo a /2Q13/Q9/18/419-advance-fee- 

fraudsters-abuse-cnns-email-feature-spread-svrian- 


crisis-themed-scams/ 











































9. http://www.webroot.com/blo a /2Q13/Q9/19/cvbercnmnnals- 
offer-anonvmous-mobi I e-numbers-sms-activati on-video 

-tape-destruction-si m-reauest/ 

10. http://www.webroot.com/blo a /2Q13/09/2Q/vet-another- 
malware-infected-hosts-anonvmization-ste p pin a -stones-s 

ervice-offerin a -access-hundreds-compromised-hosts-spott 

11 . 

http://www.webroot.com/blo a /2Q13/Q9/2Q/cvbercriminals- 

release-new-socks4socks5-malware-infected-hosts-bas 


ed-div-dos-tool/ 

12 . 

http://www.webroot.com/blo a /2Q13/Q9/23/cvbercriminals- 

sell-access-tens-thousands-malware-infected-russian 


-hosts/ 

13. http://www.webroot.com/blo a /2013/Q9/23/spamvertised- 
fdic-business-account-themed-emails-server-client-sid 


e-exploits-malware/ 

14. 

http://www.webroot.com/blo a /2Q13/Q9/24/cvbercriminals- 

experiment-android-based-sal-in i ectin a-p vthon-based 

-releases/ 

15. http://www.webroot.com/blo a /2Q13/Q9/25/newl v- 
launched-e-shop-offers-access-hundreds-thousands- 
compromised 

-accounts/ 



















































16. http://www.webroot.com/blo a /2013/Q9/27/di v- 
commercial-captcha-solvin a -automatic-ema i l-account- 
rea i strati o 

n-tQol-avaiiable-under a round-market-since-2008/ 

17. http://www.webroot.com/blo a /2013/Q9/27/vet-another- 
subscripti on-based-steal th-bitcoin-mini na -tool-spotted 

-wild/ 

18. http://ddanchev.blo as pot.com/ 

19. http://twitter.com/danchodanchev 
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Summarizing Webroot's Threat Blog Posts for 
October (2013-11-01 17:54) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for October, 2013. You can 
subscribe 

to [2]Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 

01. [3]A peek inside a Blackhat SEO/cybercrime-friendly 
doorways management platform 





















02. [4]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities - part two 

03. [5]'T-Mobile MMS message has arrived' themed emails 
lead to malware 

04. [6]DDoS for hire vendor 'vertically integrates' starts 
offering TDoS attack capabilities 

05. [7]Commercially available Blackhat SEO enabled multi- 
third-party product licenses empowered VPSs spotted in 

the wild 

06. [8]New cybercrime-friendly iFrames-based E-shop for 
traffic spotted in the wild 

07. [9]Cybercriminals offer spam-friendly SMTP servers for 
rent - part two 

08. [10]Newly launched VDS-based cybercrime-friendly 
hosting provider helps facilitate fraudulent/malicious online 

activity 

09. [ll]Fake 'You have missed emails' GMail themed emails 
lead to pharmaceutical scams 

10. [12]Compromised Turkish Government Web site leads to 
malware 

11. [13]Novice cyberciminals offer commercial access to 
five mini botnets 

12. [14]Spamvertised T-Mobile 'Picture ID Type:MMS" 
themed emails lead to malware 



13. [15]Yet another Bitcoin accepting E-shop offering 
access to thousands of hacked PCs spotted in the wild 

14. [16]Malicious 'FW: File' themed emails lead to malware 

15. [17]Mass iframe injection campaign leads to Adobe 
Flash exploits 

16. [18]Rogue ads lead to the 'Mipony Download 
Accelerator/FunMoods Toolbar' PUA (Potentially Unwanted 

Application) 

17. [ 19]A peek inside the administration panel of a 
standardized E-shop for compromised accounts 

18. [20]U.K users targeted with fake 'Confirming your Sky 
offer' malware serving emails 

19. [21]New DIY compromised hosts/proxies syndicating 
tool spotted in the wild 
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20. [22]Rogue ads lead to the 'EzDownloaderpro' PUA 
(Potentially Unwanted Application) 

21. [23]Fake 'Scanned Image from a Xerox WorkCentre' 
themed emails lead to malware 

22. [24]Fake 'Important: Company Reports' themed emails 
lead to malware 

23. [25]Cybercriminals release new commercially available 
Android/BlackBerry supporting mobile malware bot 

24. [26]Fake WhatsApp 'Voice Message Notification/1 New 
Voicemail' themed emails lead to malware 
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Danchev's blog . Follow him [28]on Twitter. 

1. http://www.webroot.com/blo a 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://www.webroot.com/blo a /2Q13/lQ/Ql/oeek-inside- 
blackhat-seo-friendlv-doorwavs-mana a ement-olatform/ 

4. http://www.webroot.com/blo a /2Q13/lQ/01/newl v- 
launched-http-based-botnet-setuo-service-emoowers- 
novice-c vb 

ercriminals-bulletproof-hostin a -capabilities-part-two/ 

5. http://www.webroot.com/blo a /2Q13/lQ/Q2/t-mobile-mms- 
messa a e-arrived-themed-emails-lead-malware/ 

6. http://www.webroot.com/blo a /2Q13/lQ/Q3/verticall v- 
i nte a rati n a -ddos-h ire-vendor-spotted-wild/ 

7. http://www.webroot.com/blo a /2Q13/10/Q4/commerciall v- 
available-blackhat-seo-enabled-multi-third-oartv-bhse 

o- product-licenses-emoowered-vos-servers-spotted-wild/ 

8. http://www.webroot.com/blo a /2Q13/lQ/04/new- 
c vberc rime-friend I v-iframes-based-e-sho o-traffic-s ootted- 
wi Id/ 

9. http://www.webroot.com/blo a /2013/lQ/Q7/cvbercriminals- 
offer-soam-friendlv-smto-servers-rent-oart-two/ 

10. http://www.webroot.com/blo a /2Q13/lQ/Q8/newl v- 
launched-vds-based-cvbercrime-friendlv-hostin a- provider- 
hel p 

































































s-faci I n t a t e-f ra udulentmalidous-orili n e-a c t r v i tv/ 


11. http://www.webroot.com/blo a /2013/10/Q9/fake-4- 
missed-emaiis- g mail-themed-ema ils-lead-pharmaceutical- 
scams 

L 

12. http://www.webroot.com/blo a /2013/10/10/comoromised- 
turkish- a overnment-web-site-leads-malware/ 

13. http://www.webroot.com/blo a /2Q13/10/ll/novice- 
c vberciminals-offer-commercial-access-5-mini-botnets/ 

14. http://www.webroot.com/blo a /2013/10/14/soamvertised- 
t-mobi lie-pi cture-id-t v pemms-themed-emails-lead-ma I war 

e/ 

15. http://www.webroot.com/blo a /2013/10/16/vet-another- 
bitcoin-acceptin a -e-shop-offerin a -access-thousands-hac 

ked-pcs-spotted-wild/ 

16. http://www.webroot.com/blo a /2Q13/10/16/malicious-fw- 
file-themed-emails-lead-malware/ 

17. http://www.webroot.com/blo a /2Q13/10/17/mass-iframe- 
ini ection-campai a n-leads-adobe-flash-exploits/ 

18. http://www.webroot.com/blo a /2Q13/10/18/ro a ue-ads- 
lead-miponv-download-accelerator-fun-moods-toolbar-pua- p 

otentiallv-unwanted-a p plication/ 

19. http://www.webroot.com/blo a /2Q13/10/18/peek-inside- 
ad mini strati on-pa nel-standardized-e-shop-compromised-a 



























































ccounts/ 

20 . 

http://www.webroot.com/blo a /2Q13/10/21/u-k-users- 
tar a eted-fake-confirmin a -skv-offer-themed-malware-serv 

ina -emails/ 

21. http://www.webroot.com/blo a /2Q13/10/21/new-di v- 
comoromised-hostsproxies-syndicatin a -tool-sootted-wild/ 

22. http://www.webroot.com/blo a /2Q13/10/22/ro a ue-ads- 
lead-ezdownloaderoro-pua-potentiallv-unwanted-a p plicatio 

n L 

23. http://www.webroot.com/blo a /2Q13/10/22/fake-scanned- 
ima a e-xerox-workcentre-themed-emails-lead-malware/ 

24. http://www.webroot.com/blo a /2Q13/10/24/fake- 
imoortant-comoanv-reports-themed-emails-lead-malware/ 

25. 

http://www.webroot.com/blo a /2Q13/10/25/cvbercriminals- 

release-new-commerciallv-available-androidblackberr 

v-sup portin a -mobile-malware-bot/ 

26. http://www.webroot.com/blo a /2Q13/10/28/fake- 
whatsa p p-voi ce-messa a e-notifi cation 1-new-voicemail- 
themed-ema 


ils-lead-malware-2/ 

27. http://ddanchev.blo as pot.com/ 

28. http://twitter.com/danchodanchev 





















































946 


£ 


Malicious Script Artifacts at China Green Dot Gov 
Dot Cn - A Reminiscence of Asprox's Multi-Tasking 

Activities (2013-11-04 18:33) 

Malware artifacts, [l]abandoned mass iframe 
[2]embedded/injected campaigns, and low Quality 
Assurance (QA) 

campaigns, continue popping up on everyone's radar, 
raising eyebrows as to the extend of incompetence, possible 

evasive tactics, plain simple lack of applied QA when 
maintaining these campaigns, or the end of a campaign's 
life 

cycle. 

What's the value of assessing such a non-active campaign? 
Can the analysis provide any clues into related cur¬ 
rently active malicious campaigns that typically for such 
type of campaigns, continue relying on the same malicious 

infrastructure? But of course. 

Let's assess the malicious artifacts at 
hxxp://chinagreen.gov.cn, connect them to the multi¬ 
tasking activities 

conducted on behalf of the Asprox botnet, as well as several 
spamvertised malware campaigns circa 2010, and 


most importantly provide actionable intelligence on 
currently active campaigns that continue using the very 
same 

infrastructure for command and control purposes. 

Malicious scripts at China Green Dot Gov Dot CN: 

update.webserviceftp.ru/js.js- seen in M [3]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 

Campaign" 

gdi.webserviceftp.ru/js.js- seen in "[4]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Campaign" 

ver.webserivcekota.ru/js.js- seen in "[5]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Cam¬ 
paign" 

batch.webserviceaan.ru/js.js- seen in "[6]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 

Campaign" 

nemohuiidiin.ru/tds/go.php?sid=l - seen in "[7]Dissecting 
the Xerox WorkCentre Pro Scanned Document 
Themed 

Campaign" 

parkperson.ru:8080/index.php?pid=13 - seen in " 

[8]Spamvertised Best Buy, Macy's, Evite and Target 
Themed 



Scareware/Exploits Serving Campaign" 

nutcountry.ru:8080/index.php?pid=13 - seen in " 

[9]Spamvertised Best Buy, Macy's, Evite and Target 
Themed 

Scareware/Exploits Serving Campaign" 

What's so special about the spamvertised XeroxWorkCentre 
Pro campaign is that, back in 2010, it used to 

drop an Asprox sample, naturally phoning back to well 
known Asprox C &Cs at the time. 

nemohuildiin.ru is known to have responded to 
31.31.204.61 and most recently to 5.63.152.19 

Known to have responded to the same IP 
(31.31.204.61) are also the following malicious 
domains: 

000sstd.com 

02143.ru 

03111991.ru 

0414.ru 

0424.ru 

050175.ru 

054ru.ru 
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06140.ru 



0664346910.ru 


0801.ru 

08108.ru 

087474.ru 

08755.ru 

0925.ru 

0go.ru 

1-androds.ru 

10000taxi.ru 

1001domains.ru 

100yss.ru 

124k.ru 

Moreover, we also got a decent number of malicious MD5s 
known to have used the same IP as C &C ove the 

last couple of months, indicating that the artifact is still part 
of the C &C infrastructure of active campaigns. 

The following malicious MD5s are also known to 
have phoned back to the same IP over the last 
couple of 

months: 


MD5: 3e3d249c43950ac8bedb937flea347f5 



MD5: 398b5f0c4b8f9adbldb8420801b52562 

MD5: 9al602a2693ae510339ef5f0d25be0b3 

MD5: 9bc423773de47d95del718173ec8485f 

MD5: 637db36286b3e300c37e99a0b4772548 

MD5: 9829c64613909fbbl3fc402f23bafflb 

MD5: f23562bafd94f7b836633flfb7f9el8f 

MD5: 7d263c93829447b2399c2e981d66c9df 

MD5: 6ee37ead84906711cb2eed6d7f2fcc88 

MD5:54eb099176e7d65817dlb9789845ee4e 

MD5: 723618efbd0d3627da09a770e5fd28c2 

MD5: 151030c819209af9b7b2ecf2f5c31aa0 

MD5: 279d390b9116f0f8ac80321e5fa43453 

MD5: f78ff547ce388a403f5ba979025cd556 

MD5: afa7090479ac49a3547931fe249c52e3 

MD5: a2565684ae4c0af5a99214da83664927 

MD5: Ce4f032a3e478f4d4cac959b2e999b5a 

Known to have responded to 5.63.152.19 are also 
the following malicious domains: 

6tn.ru 


azosi.ru 



bi-news.ru 


buygroup.ru 

dnpsirius.ru 

enterplus.ru 

nemohuildiin.ru 

nfs-worlds.ru 

rassy I ka-na-doski .ru 

santehnikaoptom.ru 

v-odnoklassniki.ru 
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In a cybercrime ecosystem dominated by leaked [10]DIY 
mass Web site hacking tools, and Unsophisticated 
iframe-ing platforms, malicious artifacts are a great 
reminder that as long as the Web site remains susceptible to 

remote exploitation, it's only a matter of time before a 
potential cybercriminal embeds/injects malicious script on 
it. 

That's cybercrime-friendly common sense. 

This post has been reproduced from [12]Dancho 
Danchev's blog . Follow him [13]on Twitter. 
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Malicious Script Artifacts at China Green Dot Gov 
Dot Cn - A Reminiscence of Asprox's Multi-Tasking 

Activities (2013-11-04 18:33) 

Malware artifacts, [l]abandoned mass iframe 
[2]embedded/injected campaigns, and low Quality 
Assurance (QA) 

campaigns, continue popping up on everyone's radar, 
raising eyebrows as to the extend of incompetence, possible 

evasive tactics, plain simple lack of applied QA when 
maintaining these campaigns, or the end of a campaign's 
life 

cycle. 

What's the value of assessing such a non-active campaign? 
Can the analysis provide any clues into related cur¬ 
rently active malicious campaigns that typically for such 
type of campaigns, continue relying on the same malicious 

infrastructure? But of course. 

Let's assess the malicious artifacts at 
hxxp://chinagreen.gov.cn, connect them to the multi¬ 
tasking activities 

conducted on behalf of the Asprox botnet, as well as several 
spamvertised malware campaigns circa 2010, and 


most importantly provide actionable intelligence on 
currently active campaigns that continue using the very 
same 

infrastructure for command and control purposes. 

Malicious scripts at China Green Dot Gov Dot CN: 

update.webserviceftp.ru/js.js- seen in M [3]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 

Campaign" 

gdi.webserviceftp.ru/js.js- seen in "[4]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Campaign" 

ver.webserivcekota.ru/js.js- seen in "[5]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Cam¬ 
paign" 

batch.webserviceaan.ru/js.js- seen in "[6]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 

Campaign" 

nemohuiidiin.ru/tds/go.php?sid=l - seen in "[7]Dissecting 
the Xerox WorkCentre Pro Scanned Document 
Themed 

Campaign" 

parkperson.ru:8080/index.php?pid=13 - seen in " 

[8]Spamvertised Best Buy, Macy's, Evite and Target 
Themed 



Scareware/Exploits Serving Campaign" 

nutcountry.ru:8080/index.php?pid=13 - seen in " 

[9]Spamvertised Best Buy, Macy's, Evite and Target 
Themed 

Scareware/Exploits Serving Campaign" 

What's so special about the spamvertised XeroxWorkCentre 
Pro campaign is that, back in 2010, it used to 

drop an Asprox sample, naturally phoning back to well 
known Asprox C &Cs at the time. 

nemohuildiin.ru is known to have responded to 
31.31.204.61 and most recently to 5.63.152.19 

Known to have responded to the same IP 
(31.31.204.61) are also the following malicious 
domains: 

000sstd.com 

02143.ru 

03111991.ru 

0414.ru 

0424.ru 

050175.ru 

054ru.ru 
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06140.ru 



0664346910.ru 


0801.ru 

08108.ru 

087474.ru 

08755.ru 

0925.ru 

0go.ru 

1-androds.ru 

10000taxi.ru 

1001domains.ru 

100yss.ru 

124k.ru 

Moreover, we also got a decent number of malicious MD5s 
known to have used the same IP as C &C ove the 

last couple of months, indicating that the artifact is still part 
of the C &C infrastructure of active campaigns. 

The following malicious MD5s are also known to 
have phoned back to the same IP over the last 
couple of 

months: 


MD5: 3e3d249c43950ac8bedb937flea347f5 



MD5: 398b5f0c4b8f9adbldb8420801b52562 

MD5: 9al602a2693ae510339ef5f0d25be0b3 

MD5: 9bc423773de47d95del718173ec8485f 

MD5: 637db36286b3e300c37e99a0b4772548 

MD5: 9829c64613909fbbl3fc402f23bafflb 

MD5: f23562bafd94f7b836633flfb7f9el8f 

MD5: 7d263c93829447b2399c2e981d66c9df 

MD5: 6ee37ead84906711cb2eed6d7f2fcc88 

MD5:54eb099176e7d65817dlb9789845ee4e 

MD5: 723618efbd0d3627da09a770e5fd28c2 

MD5: 151030c819209af9b7b2ecf2f5c31aa0 

MD5: 279d390b9116f0f8ac80321e5fa43453 

MD5: f78ff547ce388a403f5ba979025cd556 

MD5: afa7090479ac49a3547931fe249c52e3 

MD5: a2565684ae4c0af5a99214da83664927 

MD5: Ce4f032a3e478f4d4cac959b2e999b5a 

Known to have responded to 5.63.152.19 are also 
the following malicious domains: 

6tn.ru 


azosi.ru 



bi-news.ru 


buygroup.ru 

dnpsirius.ru 

enterplus.ru 

nemohuildiin.ru 

nfs-worlds.ru 

rassy I ka-na-doski .ru 

santehnikaoptom.ru 

v-odnoklassniki.ru 
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In a cybercrime ecosystem dominated by leaked [10]DIY 
mass Web site hacking tools, and Unsophisticated 
iframe-ing platforms, malicious artifacts are a great 
reminder that as long as the Web site remains susceptible to 

remote exploitation, it's only a matter of time before a 
potential cybercriminal embeds/injects malicious script on 
it. 

That's cybercrime-friendly common sense. 

Updates will be posted as soon as new developments take 
place. 
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Scareware, Blackhat SEO, Spam and Google Groups 
Abuse, Courtesy of the Koobface Gang 

(2013-11-04 18:36) 

The Koobface gang is known to have embraced the potential 
of the "underground multi-tasking" model a long 

time ago, in order to achieve the "malicious economies of 
scale" effect. This "underground multi-tasking" most 
commonly comes in the form of multiple monetization 
campaigns, which upon closer analysis always lead back to 
the 

Koobface gang's infrastructure. In fact, the gang is so 
obsessed with efficiency, that particular redirectors and key 
ma¬ 
licious domains for a particular campaign, are also, 
simultaneously rotated across all the campaigns that they 
manage. 

For instance, throughout the past half an year, a huge 
percentage of the malicious infrastructure used simulta¬ 
neously in multiple campaigns, was parked on the [l]now 
shut down Riccom LTD - AS29550. From the [2]massive 

blackhat SEO campaigns affecting millions of legitimate 
web sites managed by the gang, to the [3]malvertising 
attack 

at the New York Times web site, and [4]the click-fraud 
facilitating [5]Bahama botnet, the Koobface botnet is only 
the 



tip of the iceberg for the efficient and fraudulent money 
machine that the gang operates. 
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In this analysis, I'll once again establish a connection 
between the ongoing blackhat SEO campaigns managed by 
the 

gang ( [6]B\ackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Sea re ware; [7]U.S Federal Forms Blackhat 

SEO Themed Sea reware Campaign Expanding; [8]Dissecting 
the Ongoing U.S Federal Forms Themed Blackhat SEO 

Campaign), with a spam campaign that's also syndicated 
across multiple Google Groups, and the Koobface botnet 

















itself, with a particular emphasis on the scareware 
monetization taking place across all the campaigns. 

Related Koobface research and analysis: 

[9] The Koobface Gang Wishes the Industry "Happy Holidays" 

[10] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[11] Koobface Botnet Starts Serving Client-Side Exploits 

[12] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[13] Koobface Botnet's Scareware Business Model - Part Two 

[14] Koobface Botnet's Scareware Business Model - Part One 

[15] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[16] New Koobface campaign spoofs Adobe's Flash updater 

[17] Social engineering tactics of the Koobface botnet 

[18] Koobface Botnet Dissected in a TrendMicro Report 

[19] Movement on the Koobface Front - Part Two 
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[20] Movement on the Koobface Front 

[21] Koobface - Come Out, Come Out, Wherever You Are 

[22] Dissecting Koobface Worm's Twitter Campaign 



This post has been reproduced from [23]Dancho Danchev's 
blog. 
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17. http://content.zdnet.com/2346-12691_22-352597.html 

18. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
dissected-in-trendmicro.html 


19. http://ddanchev.blo as pot.com/2009/08/movennent-on- 
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20. http://ddanchev.blo as pot.com/2009/08/movement-on- 
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21. http://ddanchev.blo as pot.com/2009/Q7/koobface-come- 
out-come-out-wherever-vou.html 

22. http://ddanchev.blo as pot.com/2009/Q7/dissectin a- 
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Facebook FarmTown Malvertising Campaign Courtesy 
of the Koobface Gang (2013-11-04 18:36) 

Earlier this week, another malvertising campaign affected a 
popular community, in the face of Facebook's FarmTown. 



































You have to analyze, and cross-check it to believe it. 

Key summary points: 

• the email test@now.net.cn used to register all the domains 
involved in the malvertising campaign, is exclusively 

used by the Koobface gang for numerous scareware 
registrations seen - 

a 
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Money Mule Recruiters Trick Mules Into Installing 
Fake Transaction Certificates (2013-11-04 18:37) 

What is more flattering than Ukrainian blackhat SEO gangs 
using name as redirectors, including offensive messages, 

the Koobface gang redirecting Facebook's IP space to your 
blog, ora plain simple danchodanchev admin panel within 

a Crime Pack kit? 

It's the money mule recruiters who modify the HOSTS file of 
gullible mules to redirect ddanchev.blogspot.com and 

bobbear.co.uk to 127.0.0.1. Now that's flattering, 
considering the fact that my public money mule ecosystem 
related 

research represents a tiny percentage of the real 
profiling/activities taking place behind the curtains. 


a 



Related coverage of money laundering/recruitment in 
the context of cybercrime: 

[1] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[2] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[4] Money Mule Recruiters on Yahooi's Web Hosting 

[5] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[6] Keeping Money Mule Recruiters on a Short Leash - Part Two 

[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 

[10] lnside a Money Laundering Group's Spamming 
Operations 

[11] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[12] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [13]Dancho 
Danchev's blog. Follow him [14]on Twitter. 

1. http://ddanchev.blo as pot.com/2010/04/keepin a -mone v- 
mule-recruiters-on-short.html 






2. http://ddanchev.blo as DOt.com/2010/Q3/monev-mule- 
recruitment-camoai a n-servin a .html 

3. http://ddanchev.blo as pot.com/2010/03/keeoin a -mone v- 
mule-recruiters-on-short.html 

4. http://ddanchev.blo as pot.com/2010/03/monev-mule- 
recruiters-on-vahoos-web.html 

5. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-mule.html 

6. http://ddanchev.blo as pQt.com/2010/02/keepin a -mone v- 
muie-recruiiters-on-short.html 

7. http://ddanchev.blo as pot.com/2009/12/keeoin a- 
reshi o pin a -mule-recruiters-Qn.html 

8. http://ddanchev.blo as pot.com/2009/ll/keeoin a -mone v- 
mule-recruiters-on-short.html 


9. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

10. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

11. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

12. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

13. http://ddanchev.blo as oot.com/ 

14. http://twitter.com/danchodanchev 
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A Peek Inside a Customer-ized API-enabled DIY Online 
Lab for Generating Multi-OS Mobile Malware 

(2013-11-12 02:57) 

The exponential growth of mobile malware over the last 
couple of years, can be attributed to a variety of 'growth fac¬ 
tors', the majority of which continue playing an inseparable 
role in the overall success and growth of the cybercrime 

ecosystem in general. 

Tactics like [^standardization, efficiency-oriented 
monetization, systematic bypassing of industry 
accepted/massively adopted security measures like 
signatures-based antivirus scanning, [2]affiliate networks 
helping cybercriminals 

secure revenue streams for their malicious/fraudulent tactics, 
techniques and procedures (TTPs), as well as pseudo 

legal distribution of deceptive software - think scaware with 
long EULAs and ToS-es - as well as mobile applications 

- think [3]subscription based premium rate SMS 
malware with long EULAs and ToS-es - continue dominating 
the 

arsenal of tactics that any cybercriminal aspiring the occupy 
a market share in any market segment within the 


cybercrime ecosystem, can easily take advantage of in 2013. 

What has changed over the last couple of years, in terms of 
concepts? A lot. For instance, back in 2007, ap¬ 
proximately one year after I (publicly) anticipated the 
upcoming and inevitable [4]monetization of mobile 
malware, 

the Red Browser started making its rounds, proving that I was 
sadly wrong, and once again, money and greed - 

or plain simple profit maximization to others - would play a 
crucial role in this emerging back then, cybercrime 

ecosystem market segment for mobile malware. [5]Similar 
monetization attempts on behalf of cybercriminals, then 

followed, to further strengthen the ambitions of 
cybercriminals into this emerging market segment. 

With M [6]malicious economies of scale" just starting to 
materialize at the time, it didn't take long before the concept 
started getting embedded into virtually each and every 
cybercrime-friendly product/service advertised 

on the market. Thanks to [7]Symbian OS dominating the 
mobile operating system at the time, opportunistic 

cybercriminals quickly adapted to steal a piece of the pie, by 
releasing multiple [8]Symbian based malware variants. 

Sharing is caring, therefore, here are some MD5s from the 
Symbian malicious code that used to dominate the threat 


landscape, back then. 



Symbian OS malware MD5s from that period of time, 
for historical OSINT purposes: 

MD5:a4a70d9c3dbe955dd88ea6975dd909d8 

MD5: 98f7cfd42df4a01e2c4f2ed6d38clafl 

MD5: 6fd6b68ed3a83b2850fe293c6db8d78d 

MD5: 38837c60e2d87991c6c754f8a6fb5c2d 

MD5: ace9c6c91847b29aefa0a50d3b54bac5 

MD5: 3fl828f58d676d874a3473clcd01a431 

MD5: 2163ef88da9bd31f471087a55f49dlbl 

MD5: 0a04f6fed68dec7507d7bf246aa265eb 

MD5: ad4a9c68f631d257bd76490029227e41 

MD5: 7a4639488b4698fl31e42de56ceeb45d 

MD5: fa3de59Id3a7353080b724a294dca394 
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MD5: 5ba5fad8923531784cd06aledc6e0001 
MD5: 66abbd9a965b2213f895e297f40552e5 
MD5: 92b069eflfd9a5d9c78a2d3682cl6b8f 
MD5: a494dallf47a853308bfdb3c0705f4el 
MD5: 9f38eff6c58667880dlff9feb9093dcb 


MD5: a8a3ac5f7639d82b24e9eb4f9ec5981c 



MD5: 0ebc8e9f5ec72a0ff73a73d81dc6807d 


MD5: a3cd8f8302a69e786425e51467ad5f7c 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: 522a8efdc382b38e336d4735a73e6b23 
MD5: 052abb9b41f07192e8a02f0746e80280 
MD5: 712all84c5fcl811192cba5cc7feda51 
MD5: bdae8a51d4fl2762b823e42aa6c3fa0a 
MD5:aec4b95aa8d80ee9a57dllcbl6ce75ba 
MD5: 6b854f2171cca50f49dlace2d454065a 
MD5: 945279ce239d2370e4a65b4fl09b533b 
MD5:cde433d371228fb7310849c03792479e 
MD5: 957265e799246225e078a6d65bde5717 
MD5:cde433d371228fb7310849c03792479e 
MD5: Ifl074b709736fe4504302cbc06fd0f6 
MD5: Icd241a5ea55eb25baf50af25629af27 
MD5: 60d9a75b5d3320635f9e33fe76b9b836 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: 36503b8a9e2c39508a50eb0bdbb66370 
MD5: Ifl074b709736fe4504302cbc06fd0f6 


MD5: dal3e08a8778fa4eald60e8bl26e27be 



MD5: 642495185b4b22d97869007fcbc0e00f 


MD5: 9af5d82f330bbc03f35436b3cc2fba3a 
MD5: 6099516a39abb73f9d7f99167157d957 
MD5: 6c75b3e9bf4625dclb754073a2d0c4fl 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: ffb37b431edlf0ac5764b57fa8d4cced 
MD5: Icd241a5ea55eb25baf50af25629af27 
MD5: b3055e852b47979a774575c09978981a 
MD5: 9f38eff6c58667880dlff9feb9093dcb 
MD5: 945279ce239d2370e4a65b4fl09b533b 
MD5:66a0bbebbel4939706093aa5831b53a7 
MD5: 30a2797f33ecb66524e01a63e49485dd 
MD5: 785e921ea686c2fc8514fac94dd8a9cd 
MD5:69a68bdcbad227d5d8dla27dd9c30ce7 
MD5: f246bl01bc66fe36448d0987a36c3e0a 
MD5: 4fd086a236c2f3c70b7aa869fa73f762 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: fd8b784df4bbb8082a7534841aa02f0e 
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d 


MD5: 3381d21f476dl23dcf3b5cbc27b22ael 



MD5: 006b32148ce6747fddb6d89e5725573e 


MD5: 7a4639488b4698fl31e42de56ceeb45d 
MD5: b9667e23bd400edcafde58b61ac05f96 
MD5: 12527fd41dd6bl72f8e28049011ebd05 
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MD5: c9baecbl22bb6d58f765aaca800724d2 
MD5: 79953Ie06e6aal9d569595d32dl6f7cc 


MD5: e301c2135724db49f4dd5210151e8ae9 

















MD5: 29d7c73bd737d5bb48f272468a98d673 


In 2013, we can easily differentiate between the [9]botnet 
building type of [10]two-factor authentication by¬ 
passing mobile trojans, and the ubiquitous for the market 
segment, subscription based premium rate SMS malware, 

relying on deceptive advertising and successful 'visual social 
engineering' campaigns. The second, continue getting 

largely monetized through one of the primary growth factors 
of the mobile market segment, namely, [lljaffiliate 

networks for mobile malware. 

In this post, I'll profile what can be best described as a 
sophisticated, customer-ized, customization and effi¬ 
ciency oriented, API-supporting, DIY mobile "lab" for 
generating, managing and operating multi-mobile-operating 

systems type of mobile malware campaigns. The service's 
unique value proposition (UVP) in comparison to that of 

competing "labs" for managing, operating and converting 
mobile traffic - [12]acquisition and selling of [13]mobile 
traffic is a commoditized underground market item in 2013 
- orbits around the feature rich interface, offering 100 

% customization, monitoring and generally operating the 
campaigns, while efficiently earning fraudulently obtained 

revenue from unsuspecting mobile device users. 

Sample screenshots featuring the administration 
panel of an affiliate network participant: 



960 


Co3flaHne MMflneTa 


® 


Ha 3 &anne 


Abto 


OowcaHHe (HHoraa bmoho no/ibJoeaTenpu) 


IfKOHIta 

larpyaMib: 


c Kounb»Tep3 


H3 MHTepHera 


M3 ranepeti 


OOwp (?) 3arpj3irn> 


H3o6pa>KeHMfl 


Pom. 


TyuOa 


3arpy3HTb: 


c KOMnbJOTepa 


H3 iiHtepHeia 


O 630 P (?) Jarpi 3 MTb 


OailJIbl 



3aipy3Hib 


c icotanbioTepa 


m 3HKTecHeta 


06300 (?) 3arp»3«Tb 


Bbi etue He 3arpy3Hrw hh oflHoro ctwitna KOHiema 


961 


































Co3flaHne MMAneta 


® 


UA 


Bitfleo 



OfiHcaHMe (HMorfla bhaho nonbaoeaTennu) 


MKOHKa 

larpyjMTb: 


CKOunborapi 


m 3 MHittMtra 


M 3 ran*p«M 


\T a 

\* sj t» & O 


H3o6pa:4<eHHfl 


Ponb 


CKpttMUIOT 


3afpy3Mtb: 


C KOMflMOTepa 


M 3 WTej?H«Ta 




0630(1 




© 33fP)3Mlb 


Oaunbi 


HaaeaHMe 


onwcaHite 


J 


3arpy3MTb 


c KOuriMOTepa 


M 3 MKTepHeTa 


0630P © 3arpy3MTb 


Bbi eme He 3arpy3Mnn hm OAHoro 0aivw KOHiewa 


962 























© HactpoviKa BHewHero BMfla MMfl/ieTOB 


flane* 0 


kmcb tvy&oatd 

Java AodroKI Symbian Symbian 

HacTpoHKM BHfla r.maneta Ctymam. ace HactpoiixM 


UJa6noH: 


Cranjapt $oh icapinmoM 0 


Pauuop UMpnera 

I > 


26 08 Kb 


26 08 Kb 


Tokctovmo (}>opuynM[K)riM: 

Monmnpywinira tenet 

Tenet CB 0 nr.il 


flits npoaon*eH«» Hawuitte '%Texct ch * 

flanee 0 


UnetoBbie MsetpoHXM: 

Texet a XMOtice 

Ueet KHonen 

®OH © 

PactsntBatb xapntMcy ibona^ © 
)ilotMB«pytoi^nA tenet 
BcmowHTb wcxHKBO naHettb 



notibioaatonbcxoo cotnouieiiHo: 

Texet KHonen 

Ueet 0OM3 

Ueet texeta 

Lloet XHoncH 

Ueet texeta e xMonxe 

Oto6pa*atb ctpammy npeooaaepa 


flatten» 0 


HFFFFFF 

■ 

S8E8E8E 

■ 

B61C419 

■ 

aOOOOOO 


Het 0 



963 






































© HacTpotiKa Tapncf>HKamiM 


flanee © 


O Java 


COpOQlTb MaCTpOMKM 


M Poccmh Q MIC 

0 Meracpon 
0 6nnami 
flpyrne OCC 

■ WpaMMa 
OcianbHbie crpsirw 


5S 

* 

5$ 

A 

W 

5S 

A 

5S 

A 

W 

5S 

A 

W 

5S 

A 


3S 

* 

3S 

A 

3S 


3S 

A 

V 

3S 

A 

V 

3S 

A 

▼ 


IS 

• 

IS 

A 

W 

IS 

A 

IS 

A 

V 

IS 

A 

V 

1S 

A 


O Android 
O Symbian touch 
O Symbian keyboard 

© Haj*a Aanee © 

© TpaCpMK63K 
© HacTpoidKa KOfla 

© Tpa4)W<63K flanee © 


flo6aBMTb npaBH/io 


http //example com 


IlnarcpopuM 


Crpamj 


PajpeuieMMe 

flpyroe 

B He onpeaeneira 

B Sjmtxan 

B He MOMemaiipieuMe 

B Pocoia 

B 

240*320 

B 320*480 

B Onacnw* rpa«n* 

B Android 

B iOS 

B MepdaiioxaM 

B ApMSHIMI 

B 

360*540 

B 4801800 

B noaaepnaJS 

B MeeGo 

B webOS 

B Eenopytotn 

B Benemn 

B 

176i220 

B 72011280 

B Touchscreen 

B MTKitludeus 

B Umu Smartphone 

B repuamm 

B rp.ana 

B 

90x90 

B 540.960 


B Windows Phone 

B Windows Uooile 

B Kaaarcrax 

B KupnasaaM 

B 

176i160 

B 320*240 


B Hiptop 

B Palm 

B Dartim 

B nmaa 

B 

240*400 

B 128*100 


B RIU 

B Rer Qualcomm 

B Monaaena 

B yadeKnaan 

B 

176*208 

B 480*854 


B Bada 

B RiMTaaiet 

□ yupaMna 

B Opamoui 





B Windows 

wt .. _ 

B uacosx 

B flpime 







Ao«a«Mtk 


964 














































© HacTpowKa KOfla 


PeAiipeKi JS Alert HTML Alert 


Cchuiu: 

KOnMpMilb > 6,«*c 

http //moby-aa a 


JavaScript: 

<scnpt type=lext/>avascnpt‘ 9rc=‘http//moby-aa fu'js?i< 

±J 

.htacca##: 

KorwpoeaTb • Oypep 


(pre\/ |pals\ os i pairs | hi.pt op ] avantgo i plucker : xnr.c | blazer I elair.e) ;NC,CR] 

3s t|wir.dova\ ceicpera\ stobi I windows\ ce;\ aaartphone; |wmdova\ c«;\ 


RewrlteEngin* or. 

RewriteCond %(KTTF_U5ER_AGEHT) android CMC,OR] 

RewneeCond %{HTTPJJ5ER_AGEMT} op«ra\ mini [NC,OR] 

RewriteCond I(HTTP JJSER~AGENT> blackberry [NC,OR] 

RewriteCond %<HTTPJJ3ER_AGEMT} lphone [NC,OR] 

RewriteCond % (HTTPJJSERJIGEMT ] 

RewriteCond %<HTTPJJSER_AGEMT> 
leaobile) CMC, OR] 

RewriteCond %(KTTP_U5ER_AGENT} (mini\ 9.51vxIOOOllge\ isSOOle£CCIu9401uxS40icompel|wireless I\ 
mcbi l ahor.g | lg380 I lgku I lgu900 | lg2101 ig47 | lg920 I lg6401 lg370| sa»- 

r:mg50 I #55 I g831 t66lvx4Q0|Bk99ld€15I d7$3Itl370I#19001np500l#enu3 I #amu4 IvxlOlxde_l#emu5 i semu5l aarsu" I #anu91 *5151 b8321 
maai|#920|n210|s700|c-810|_h797|»ob- 

x|#kI€die48b|mow#tr|#580|r800l47ix|vl20|rim8lc500fcsa: |l€0x|xl50l460x|x€40|t503|w839ll250|#p?int|w398#aBr810|m5252 
IC7100|mt!26|x22S|a5330|s820Ihtll-glIfly\ V71|s302|-x!13InovarraI*4101I- 
threel8325rcie352rciaanyo|vx51|c8S8inx2S0lnl20|Btlc\ 

|c55ee | #7101t880|c5005|l;458x|p4041|s210|cSI001 teiecaIs940|c500 | #593 | fortai samsu I vx8 | vx9ial000 |__=at# |ayx la^OO igullOO 
Ibc831|e300IeaslOO lme701|me702a-threeI#d5SSI#80018325rclac831Imw200|brew\ 

Id9 81 htc\/ 1 htc_touchI355xI b 50IkmlOOId73€Ip-95211telco I#174l ktouchla4u\/IBe702I8325rclkddi|phone Ilg\ 




© Hjjm 


© HacTpoiiKa KOfla 

PeaiipeKT js Alert HTML Alert 


X OuiMtka cawra' 







▲ 



JavaScript: 

<scrip* type=~text'javascnpr src=*hftp //moby-aa ru/js?id : 
PHP: 


tmlAJert=1 ”></scnpt> 


<?php 

function Mcbilab#DetectPhone() < 
if <$_GET['noredirect'J){ 
return false; 

> 

if($_SERVER[*HTTP_U5ER_AGEW7•] — *Kc2llla/5.0 (Linux; U; Android 2.2; en-us; 
M«RMit/S8$4 (KHTKL,”liice - Gecicc) Versicn/4.0 Mobile Safan/S33.1 offline* ){ 
return false; 

> 

$ use reagent - $_SERVER [ * KTTP_USER_AGEMT * ] ; 

if (preg_ratcfc (* /android | blackberry | lphone | synbian/l*, Juser_agent)) { 
return 'full'; 

> 

if < 

isset ($_SERVER[ 'HTTP_PROFIL£') > | | 
user (5~SERVER [ • http j*ap_prof:ls * I > | | 
isset($_SERVER['HITP_X_WAP_PRCFILE'1)|| 
isset ({"SERVER [' KTTP”x”wAP~PRCFXlE_OXFr* ] ) | I 
isset ($~SERVER[' HTTP~X~OPERAMIMI-PHOME-OA*) > | \ 


KOOwpcBajx » 

v I 


v a 


Mexus One Build/FRF91) 


© Haj«t 

















965 



flOMeHbl 

I"1 oca33Tb (0 CucreuMwe R0 npwnapioeaHMMe & 3apefwcrp«poB4HMbie fi? MoNmropiwr 


MOHMTOpMHf 


floueH: 


yua^HTe (y eauiefo p< 
Ana 3 toto AOMena He 

•nicTpaTopa) 

Am cepeepa 

1 

floion rpacjmia: 

OCH 06 H 0 M nOTOK 

? ] 

no yuons3HM»o noc43bioan> newAnwr: 

Twitter 



npMnapK0B3Tb 


Aouoh 

Tun 



imobl n»l 

CUCTfMHWH 


• B V V 

Qirn&y pet 



• V 

imiobt net 

E2Z23 


« * 


966 




























iSti 

/s 

A 

m 

©» 

* 

$ 

0 @9 

* 

Crancran 

hpcmo 

npo^wib 

Bunnarw 

Ton 

>V*nxinu 

FAQ 

Twottw Hoboctv 

OnoecviCNKa 

C^fnyAcoQiv 

Mwancm 

flea* OHM 

UiaOflQWM API 

Proxy 

OLE uCot 

wgfapfts? 

yHWggp<ap|,^M Mflggfr 



API 



mar i mar 2 iuar3 mar4 mar 5 mar6 

ncnt» JOftaTon*. Cawr aaiepra n*p«a**» nap-sutTpo* CuAMWiawH® MHontra Onnara napTwep nwibioeaTen*, noftrxaeT 

m re^epauKfl MNorwa non,xaeT aocr,n k Komemy 


ripHHynn aeiiCTBun 

API - ymieepcanbMbiii MHCTpyMeMT ue/ib Koioporo 

aaroMaTitxecKM coOtipaTb m BwaaBaTb 

UiaCnoM API: 


nonbtoftaTemo KacTommjMpoeaHMwe MivoneTw in 

□ 

t COKUTb 

KOMTeHTa Ha aameM caiire BHewHiiii bha ii imwe 

HacTpoAur Musuoro Tawxo MtupieTa 
npeflonpeflenaiOTCi! BbiOpaHHbiM uiaOnsHOM API m 

rtoiOK rpo(t>Mxo: 


1 1 

i Conan, 

oapaMeTpaMii e ccbinne (GET janpoc) HacTpofluii 

h] napaMerpou ccbrnni HMeiOT Oodbiumt npnoptner 

ii neperpuBaiOT HacTponui API waOnona 

Aocmn: 


jmotx net 

i nptinapcoMTb 

0 IKnoubJoeaTb Ka« TOS 


Chhcok napaMeTpoe npeAocTaaneH Hii*e 


KODHpoearb b Cj*ep 


hdp //|mot» n«/u»»r rnM api/gtf mnll*« 

» ■■ 
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YHMBepcanbHbiM MOfly/ib 


UJa6i>OH API: 


□ 

Cowart 

rioTOK Tpa<|>HKa: 


■ 

C03A3Tb 

floaitw: 


jmobi nel i 

npHnapKoiarb 


Ucnon*30«arb uk TDS 


A*mmmh uoAyn* np#AKa 3 HjMa«Tc» jnp itcrofttSocaMii* ms 
caMonncHbix cartTax a rax *e am Mcnc»/ib30BaM*i» c 
pajnHviMMMH CMS (am OLE WordPrtss p$«coMeMAy*u 
Mcnc-rbiOBAtb cn^i^ianinMpoaaMHbie uoAynw) 

IlHCTpyKUMM AHM yCTdHOBKH 

npOM»«AHT« nacTpOMKy napaMeipoa a mom KOMCtpyicTop* 
riocne wacTpoMKM cacooMpyikTe koa »*2 6no*a "Koa Ann 
nc ratal xa aaui caAr" »< paaMtcwrt y c«6* hj cawr* 


JavaScript htaccess 

® ap SI sis 

□ W 0 71 


tfCK&Tb b: 

T«rax 

anpM&yTax 
id: 

class 
no uia 6 noKy: 

Aipubyr c HaaBONHeu KOHTeHTa: 

Imktext 

Atpubyt c HasBaNHeu KOMTeitaepa: 


a 

href 

* *9 (avi(zip|sis|mpS;rar|72)S 


jad Q sis* f - ] smt y' 9 a 

wgt 0 mp3 0 car Q 

jar 


Sample "system" domains used for hosting/rotating 
the generated mobile malware samples courtesy of 
the 

service: 

jmobi.net - 91.202.63.75 
omoby.net - 91.202.63.75 
rrmobi.net - 91.202.63.75 
moby-aa.ru - 91.202.63.75 







mobyc.net - 91.202.63.75 
mobi-files.com - 91.202.63.75 
mobyw.net - 91.202.63.75 
mobyy.net - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobyz.net - 91.202.63.75 

Known to have responsed to the same IP are also the 
following malicious domains: 

doklamenol.ru 

doklameno2.ru 
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GAME DEV 
STORY 

CTpatffMH 


METEOR BRICK 
BREAKER 2 

KaiyaNkHMC 



BEWARE I THE 
DOC IS 


MATCHI 

Kasyaflfc 


OSMOS MD 

/ 1 orM 4 (CKM 


STICK STUNT 
BIKER 


SNAKE SPEARSI 
Kiecvm, 


BUBBLE DROP 
KasymNwa 


A STORY Of A 
BAND 


SLEEPING 

ApMAAM 

nrpw, 

CnopiMiHWf 

NrpM 

npMKAKHtHHN, 

pnr 

PeATKMf 6.88 KaivaniiHwe 

W rofiuaoAOHkM 

KiSiliUiyML __ 



iwjiww! 


■WPWVPPPVJI 




THE ISLAND 
CASTAWAY 
Kbcctm, 

rlpHk/IKISCIIHM, 

pnr 


yCTAHOBMTI 


e 2001 • 2013 CorMiuQHHQ c no/ibiotaToooH 


downloadakpinstall.ru 

mobiy.net 

moby-aa.ru 

moby-ae.ru 

mobyc.net 

mobyw.com 

mobyw.net 

mobyy.net 


























mobyz.net 

omoby.net 

rrmobi.net 


system-update.ru 

telefontown.pp.ua 

Sample Web sites serving multi-mobile-operating- 
system premium rate mobile malware, relying on the 
ser¬ 
vice: 
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Samples generated and currently distributed in the 
wild using the service: 

[14]MD5: ac69514f9632539f9e8ad7b944556ed8 - 

detected by 15 out of 48 antivirus scanners as HEUR:Trojan- 


SMS.AndroidOS.Stealer.a 



[15]MD5: e62f97a095cal5747bb529ee9flb5057 

detected by 2 out of 45 antivirus scanners as 
Java. SMSSend. 780; 

J2ME/TrojanSMS.Agent.DX 

[16JMD5:0688dac2754cce01183655bbbe50a0bl 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[17JMD5: 4062a77bda6adf6094f4ab209c71b801 

detected by 2 out of 44 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[18JMD5: 42a6cf362dbff4fdlb5aa9e82c5b7b56 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[19JMD5: 3bcbe78a2fa8c050ee52675d9ec931ad 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[20JMD5: 53d3d35cf896938e897de002db6ffc68 - 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

971 

J2ME/TrojanSMS.Agent.DX 



[21]MD5: 2f66735b37738017385cc2fb56c21357 - 

detected by 2 out of 46 antivirus scanners as 
Java. SMSSend. 780; 

J2ME/TrojanSMS.Agent.DX 

[22JMD5: 0ecllbba4a6a86eb5171ecad89d78d05 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[23JMD5: 9f059c973637fl05271d345a95787a5f - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[24JMD5: fl79a067580014blel6900b90d90a872 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[25JMD5: aef4f659943cbc530e4elb601e75bl9e - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[26JMD5: 8a00786ed6939a8ece2765d503c97ff8 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[27JMD5: 868fcf05827c092fal939930c2f50016 - 

detected by 2 out of 45 antivirus scanners as 



Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[28JMD5: a6ef49789845edla66f94fd7cc089elb - 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[29JMD5: 22aa473772b2dfb0f019dac3b8749bb6 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[30JMD5: 52b74046d0cl23772566d591524b3bf7 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[31JMD5: bbff61a2e3555a6675bc77621bel9a73 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[32]Cybercrime-friendly affiliate networks continue, 
and will continue to represent a major driving factor be¬ 
hind the growth of any market segment within the 
cybercrime system, as they result in a win-win-lose scenario 
for 

their operations, participants and the potential victims of the 
fraudulent/malicious propositions/releases courtesy 



of these networks. With mobile traffic acquisition available on 
demand based on any given preference a potential 

could have, cybercriminals would continue converting it into 
victims, cashing in on their overall lack of awareness of 

the TTPs of today's modern cybercriminals. 

This post has been reproduced from [33]Dancho 
Danchev's blog . Follow him [34]on Twitter. 
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The exponential growth of mobile malware over the last 
couple of years, can be attributed to a variety of 'growth fac¬ 
tors', the majority of which continue playing an inseparable 
role in the overall success and growth of the cybercrime 

ecosystem in general. 

Tactics like [^standardization, efficiency-oriented 
monetization, systematic bypassing of industry 
accepted/massively adopted security measures like 
signatures-based antivirus scanning, [2]affiliate networks 
helping cybercriminals 

secure revenue streams for their malicious/fraudulent tactics, 
techniques and procedures (TTPs), as well as pseudo 

legal distribution of deceptive software - think scaware with 
long EULAs and ToS-es - as well as mobile applications 

- think [3]subscription based premium rate SMS 
malware with long EULAs and ToS-es - continue dominating 
the 

arsenal of tactics that any cybercriminal aspiring the occupy 
a market share in any market segment within the 

cybercrime ecosystem, can easily take advantage of in 2013. 

What has changed over the last couple of years, in terms of 
concepts? A lot. For instance, back in 2007, ap¬ 
proximately one year after I (publicly) anticipated the 
upcoming and inevitable [4]monetization of mobile 
malware, 



the Red Browser started making its rounds, proving that I was 
sadly wrong, and once again, money and greed - 

or plain simple profit maximization to others - would play a 
crucial role in this emerging back then, cybercrime 

ecosystem market segment for mobile malware. [5]Similar 
monetization attempts on behalf of cybercriminals, then 

followed, to further strengthen the ambitions of 
cybercriminals into this emerging market segment. 

With M [6]malicious economies of scale" just starting to 
materialize at the time, it didn't take long before the concept 
started getting embedded into virtually each and every 
cybercrime-friendly product/service advertised 

on the market. Thanks to [7]Symbian OS dominating the 
mobile operating system at the time, opportunistic 

cybercriminals quickly adapted to steal a piece of the pie, by 
releasing multiple [8]Symbian based malware variants. 

Sharing is caring, therefore, here are some MD5s from the 
Symbian malicious code that used to dominate the threat 

landscape, back then. 

Symbian OS malware MD5s from that period of time, 
for historical OSINT purposes: 

MD5:a4a70d9c3dbe955dd88ea6975dd909d8 

MD5: 98f7cfd42df4a01e2c4f2ed6d38clafl 

MD5: 6fd6b68ed3a83b2850fe293c6db8d78d 


MD5: 38837c60e2d87991c6c754f8a6fb5c2d 



MD5: ace9c6c91847b29aefa0a50d3b54bac5 


MD5: 3fl828f58d676d874a3473clcd01a431 
MD5: 2163ef88da9bd31f471087a55f49dlbl 
MD5: 0a04f6fed68dec7507d7bf246aa265eb 
MD5: ad4a9c68f631d257bd76490029227e41 
MD5: 7a4639488b4698fl31e42de56ceeb45d 
MD5: fa3de591d3a7353080b724a294dca394 
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MD5: 5ba5fad8923531784cd06aledc6e0001 
MD5: 66abbd9a965b2213f895e297f40552e5 
MD5: 92b069eflfd9a5d9c78a2d3682cl6b8f 
MD5: a494dallf47a853308bfdb3c0705f4el 
MD5: 9f38eff6c58667880dlff9feb9093dcb 
MD5: a8a3ac5f7639d82b24e9eb4f9ec5981c 
MD5: 0ebc8e9f5ec72a0ff73a73d81dc6807d 
MD5: a3cd8f8302a69e786425e51467ad5f7c 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: 522a8efdc382b38e336d4735a73e6b23 
MD5: 052abb9b41f07192e8a02f0746e80280 


MD5: 712all84c5fcl811192cba5cc7feda51 



MD5: bdae8a51d4fl2762b823e42aa6c3fa0a 


MD5:aec4b95aa8d80ee9a57dllcbl6ce75ba 
MD5: 6b854f2171cca50f49dlace2d454065a 
MD5: 945279ce239d2370e4a65b4fl09b533b 
MD5:cde433d371228fb7310849c03792479e 
MD5: 957265e799246225e078a6d65bde5717 
MD5:cde433d371228fb7310849c03792479e 
MD5: Ifl074b709736fe4504302cbc06fd0f6 
MD5: Icd241a5ea55eb25baf50af25629af27 
MD5: 60d9a75b5d3320635f9e33fe76b9b836 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: 36503b8a9e2c39508a50eb0bdbb66370 
MD5: Ifl074b709736fe4504302cbc06fd0f6 
MD5: dal3e08a8778fa4eald60e8bl26e27be 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: 9af5d82f330bbc03f35436b3cc2fba3a 
MD5: 6099516a39abb73f9d7f99167157d957 
MD5: 6c75b3e9bf4625dclb754073a2d0c4fl 
MD5: e23f69eea5fa000f259e417b64210d42 


MD5: ffb37b431edlf0ac5764b57fa8d4cced 



MD5: Icd241a5ea55eb25baf50af25629af27 


MD5: b3055e852b47979a774575c09978981a 
MD5: 9f38eff6c58667880dlff9feb9093dcb 
MD5: 945279ce239d2370e4a65b4fl09b533b 
MD5:66a0bbebbel4939706093aa5831b53a7 
MD5: 30a2797f33ecb66524e01a63e49485dd 
MD5: 785e921ea686c2fc8514fac94dd8a9cd 
MD5: 69a68bdcbad227d5d8dla27dd9c30ce7 
MD5: f246bl01bc66fe36448d0987a36c3e0a 
MD5: 4fd086a236c2f3c70b7aa869fa73f762 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: fd8b784df4bbb8082a7534841aa02f0e 
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d 
MD5: 3381d21f476dl23dcf3b5cbc27b22ael 
MD5: 006b32148ce6747fddb6d89e5725573e 
MD5: 7a4639488b4698fl31e42de56ceeb45d 
MD5: b9667e23bd400edcafde58b61ac05f96 
MD5: 12527fd41dd6bl72f8e28049011ebd05 
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MD5: c9baecbl22bb6d58f765aaca800724d2 
MD5: 79953Ie06e6aal9d569595d32dl6f7cc 
MD5: e301c2135724db49f4dd5210151e8ae9 
MD5: 29d7c73bd737d5bb48f272468a98d673 

In 2013, we can easily differentiate between the [9]botnet 
building type of [10]two-factor authentication by¬ 
passing mobile trojans, and the ubiquitous for the market 
segment, subscription based premium rate SMS malware, 

















relying on deceptive advertising and successful 'visual social 
engineering' campaigns. The second, continue getting 

largely monetized through one of the primary growth factors 
of the mobile market segment, namely, [ll]affiliate 

networks for mobile malware. 

In this post, I'll profile what can be best described as a 
sophisticated, customer-ized, customization and effi¬ 
ciency oriented, API-supporting, DIY mobile "lab" for 
generating, managing and operating multi-mobile-operating 

systems type of mobile malware campaigns. The service's 
unique value proposition (UVP) in comparison to that of 

competing "labs" for managing, operating and converting 
mobile traffic - [12]acquisition and selling of [13]mobile 
traffic is a commoditized underground market item in 2013 
- orbits around the feature rich interface, offering 100 

% customization, monitoring and generally operating the 
campaigns, while efficiently earning fraudulently obtained 

revenue from unsuspecting mobile device users. 

Sample screenshots featuring the administration 
panel of an affiliate network participant: 
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Sample "system" domains used for hosting/rotating 
the generated mobile malware samples courtesy of 
the 

service: 

jmobi.net - 91.202.63.75 
omoby.net - 91.202.63.75 
rrmobi.net - 91.202.63.75 























moby-aa.ru - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobi-files.com - 91.202.63.75 
mobyw.net - 91.202.63.75 
mobyy.net - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobyz.net - 91.202.63.75 

Known to have responsed to the same IP are also the 
following malicious domains: 

doklamenol.ru 

doklameno2.ru 
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downloadakpinstall.ru 

mobiy.net 

moby-aa.ru 

moby-ae.ru 

mobyc.net 

mobyw.com 

mobyw.net 


mobyy.net 

mobyz.net 

omoby.net 

rrmobi.net 

system-update.ru 

telefontown.pp.ua 

Sample Web sites serving multi-mobile-operating- 
system premium rate mobile malware, relying on the 
ser¬ 
vice: 
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Samples generated and currently distributed in the 
wild using the service: 

[14] MD5: ac69514f9632539f9e8ad7b944556ed8 - 

detected by 15 out of 48 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Stealer.a 

[15] MD5: e62f97a095cal5747bb529ee9flb5057 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 


J2ME/TrojanSMS.Agent.DX 


[16]MD5: 0688dac2754cce01183655bbbe50a0bl - 

detected by 2 out of 46 antivirus scanners as 
Java. SMSSend. 780; 

J2ME/TrojanSMS.Agent.DX 

[17JMD5: 4062a77bda6adf6094f4ab209c71b801 - 

detected by 2 out of 44 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[18JMD5: 42a6cf362dbff4fdlb5aa9e82c5b7b56 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[19JMD5: 3bcbe78a2fa8c050ee52675d9ec931ad - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[20JMD5: 53d3d35cf896938e897de002db6ffc68 - 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

987 

J2ME/TrojanSMS.Agent.DX 

[21JMD5: 2f66735b37738017385cc2fb56c21357 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 


J2ME/TrojanSMS.Agent.DX 



[22]MD5: 0ecllbba4a6a86eb5171ecad89d78d05 

detected by 2 out of 47 antivirus scanners as 
Java. SMSSend. 780; 

J2ME/TrojanSMS.Agent.DX 

[23JMD5: 9f059c973637fl05271d345a95787a5f - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[24JMD5: fl79a067580014blel6900b90d90a872 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[25JMD5: aef4f659943cbc530e4elb601e75bl9e - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[26JMD5: 8a00786ed6939a8ece2765d503c97ff8 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[27JMD5: 868fcf05827c092fal939930c2f50016 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[28JMD5: a6ef49789845edla66f94fd7cc089elb - 

detected by 2 out of 47 antivirus scanners as 



Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[29JMD5: 22aa473772b2dfb0f019dac3b8749bb6 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[30JMD5: 52b74046d0cl23772566d591524b3bf7 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[31JMD5: bbff61a2e3555a6675bc77621bel9a73 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[32]Cybercrime-friendly affiliate networks continue, 
and will continue to represent a major driving factor be¬ 
hind the growth of any market segment within the 
cybercrime system, as they result in a win-win-lose scenario 
for 

their operations, participants and the potential victims of the 
fraudulent/malicious propositions/releases courtesy of 

these networks. 

With mobile traffic acquisition available on demand based on 
any given preference a potential could have, cy- 



bercriminals would continue converting it into victims, 
cashing in on their overall lack of awareness of the TTPs of 

today's modern cybercriminals. 

Updates will be posted as soon as new developments take 
place. 

1. http://ddanchev.blo as pot.com/2009/10/standardizin g- 
monev-mule-recruitment.html 

2. http://www.webroot.com/blo a /ta a /affiliate-networks/ 

3. http://www.webroot.com/blo a /2013/Q9/18/affiliate- 
network-mobile-malware-impersonates- a oo a le-plav-tricks-u 

sers-installin a- premium-rate-sms-sendin a -ro a ue-a pps/ 

4. http://ddanchev.blo as pot.com/2007/05/comnnercializin a- 
mobile-malware 18.html 

5. http://ddanchev.blo as pot.com/2008/Q7/mobile-malware- 
scam-isexplaver-wants.html 

6. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 

7. 

http://www.internetnews.com/wireless/article. ph p/3584431 

8. http://ddanchev.blo as pot.com/2009/Q7/transmitterc- 
mobile-malware-in-wild.html 
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http://www.webroot.com/blo a /2Q13/10/25/cvbercriminals- 

release-new-commerciallv-available-androidblackberr 





































v-sup portin a -mobile-malware-bot/ 
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mana a ed-otpatstan-token.html 

11. http://www.webroot.com/blo a /2013/Q9/18/affiliate- 
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sers-installin a- premium-rate-sms-sendin a -ro a ue-a pps/ 

12. http://www.webroot.com/blo a /2013/Q8/13/cvbercrime- 
friendlv-under a round-traffic-exchan a e-helps-facilitate- 
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fraudulent-and-malicious-activit v/ 

13. http://www.webroot.com/blo a /2013/08/29/cvbercrime- 
friendlv-under a round-traffic-exchan a es-help-facilitate- 

fraudulent-and-malicious-activit v- part-two/ 

14. 

https://www.virustotal.com/en/file/la3e255ccb734021ff8c89 

b4fl4196d065fal905ab5df398431df4909bledld7/anal vs 

Is L 

15. 

https://www.virustotal.com/en/file/5a0f6fe6d46d6bda81a237 

d72a60ec55df7062be4dfflabe7712d64dla6a9alf/anal vs 

is/1383771675/ 
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https://www.virustotal.com/en/file/61dd75041770fbl77a766 

58bf620b8568aec47d3c8c779d94913e549090479f8/anal vs 














































is/1383771784/ 


17. 

https://www.vi rustotal.com/en/file/195a3bel048d9b8192670 

a488cf991b39d6ff6c8a3d2996dfef30633fe9eeac5/anal vs 

is/1383771850/ 

18. 

https://www.virustotal.com/en/file/5cl9a007d6620c542940a 

2ebf441db7a4285ee42cea2e4e4bl53aab80b44fa4d/anal vs 

is/1383771922/ 

19. 

https://www.virustotal.com/en/file/669e7c760993098bfe6fld 
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is/1383772019/ 
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is/1383772403/ 

24. 

https://www.virustotal.com/en/file/f7a8d5bf295dcc0d614ccb 

lQa25aaa7645c9f6c5240da481bfl8bbe9f050e8cd/anal vs 
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25. 

https://www.virustotal.com/en/file/77779337b988c5c4a606c 

b5299c0cb92e39766ae05d3cbe5dc005064dl059eb4/anal v 

s 

is/1383784127/ 

26. 

https://www.virustotal.com/en/file/5e9963185dl8b01a5900d 

53f436c70ea4260de9327e52ef97107a755ca60b570/anal vs 

is/1383784229/ 

27. 

https://www.virustotal.com/en/file/c618d84e47ef2ccddlld7a 

2f3883e5fa7bca52442bf3a0904el723f3dc459461/anal vs 

is/1383784294/ 

28. 

https://www.virustotal.com/en/file/62f4c45a5f698c759e6618 

7d6d322b476e78d973aa6bf6daabcebb2d6139ad2d/anal vs 


is/1383784390/ 




















29. 

https://www.vi rustotal.com/en/file/26c88732e4895244a9375 

53c25bce2378718fc4e5af0977abdb6cedc9dbb9fbb/anal vs 

is/1383784546/ 

30. 

https://www.virustotal.com/en/file/0713ef64ca57ab7164142f 

485208dba9cacelb8f9da3fdaaa0c840541df6b843/anal vs 

is/1383784624/ 

31. 

https://www.virustotal.com/en/file/f8bl0b6ae34c01878d24fd 

3bf29235bll7303ddl7b720el5126f0cc6a3110adf/anal vs 

is/1383785064/ 

32. http://www.zdnet.com/blo a /securitv/inside-an-affiliate- 
s oam-pro a ram-for-pharmaceuticals/2054 
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New Commercially Available Modular Malware 
Platform Released On the Underground Marketplace 

(2013-11-13 00:15) 

Cybercriminals have recently released a new (v3 to be more 
precise indicating possible beneath the radar operation 

until now), commercially available, modular malware 
platform, including such cybercrime-friendly features like 

DNS Changer, Loaders, [l]lnjects, and [2]Ransomware 
features - completely blocking the Internet access of [3]the 

















affected user in this particular case - with several 
upcoming modules such as stealth VNC, and Remote IE (a 
feature 

which would allow them to completely hijack any sort of 
encrypted session taking place on the affected host, 

naturally including the cookies). 

Sample screenshots of the command and control 
interface+DNS Changer in action: 
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With prices for the standard package starting from $1,500, I 
expect that the malware bot will quickly gain market 

share thanks to its compatibility with existing/working 
crimeware concepts/releases, as well as thanks to the general 

availability of 24/7/365 [4]managed malware crypting 
services, applying the necessary degree of QA (Quality 

Assurance) to a potential campaign before launching it. 
Moreover, yet another factor that would greatly contribute 

to the success of such type of newly released platforms is the 
the ease of acquisition of legitimate traffic - think 

[5]blackhat SEO, [6]compromised FTP accounts, or 
[7]mass SQL injection campaigns - to be later on 
converted into malware-infected hosts, most commonly 
through social engineering, or the client-side exploitation of 
outdated and 


already patched vulnerabilities in browser plugins/third-party 
applications. 

Furthermore, with or without the full scale modularity in 
place - some of the modules are currently in the 

works, as well as the lack of built-in renting/reselling/traffic 
acquisition/affiliate network type of monetization 

elements, typical for what can be best described as platform 
type of underground market release compared to a 

standalone modular malware bot, the bot's worth keeping an 
eye on. 

The DNS Changer IP seen in the screenshot 62.76.176.214 ( 
62-76-176-214.clodo.ru), can also be connected to 

related malicious activity. For instance, [8]MD5: 
cef012fb4fa7cd55f04558ecee04cd4e is known to have 
previously 

phoned back to 62.76.176.214. 

And most interestingly, [9]according to this assessment, 

next to phoning back to 62.76.176.214, the following 

malicious domains are also known to have been used as C 
&Cs by the same sample: 

6r3u8874dfd9.com - known to have responded to 
31.170.179.179 

r55u87799hd39.com - known to have responded to 
31.170.179.179 


r95u8114dfd9.com 



The following malicious MD5s are also known to have 
phoned back to the same C &C IP (31.170.179.179) 

since the beginning of the month: 

MD5: 56f05611ec91f010d015536b7e9fela5 
991 

MD5: 49aeaa9fad5649d20a9c56e611e81d96 
MD5: bf4fal38741ec4af0a0734b28142f7ae 
MD5: Cd92df2172a40ebb507fa701dcbl4fea 
MD5:Id51cdelab7ald3d725e507089d3ba5e 
MD5: a00695df0a50b3d3ffeb3454534d97a8 
MD5:ea8340c95589ca522dacle04839a9ab9 
MD5: f2933ca59e8453a2b50f6d38a9ad9709 
MD5: dd9c4ba82de8dcf0f3e440b302e223e8 
MD5: d92ad37168605579319c3dff4d6e8c26 
MD5: 004bf3f6b7f49d5c650642dde3255bl6 
MD5: deb8bcd6c7987ee4e0a95273e76feccd 
MD5: 1791cb3e3da28aecll416978f415dcd3 
MD5: 7eae6322c9dcaa0fl2a99f2c52b70224 
MD5: 00275Ild25a820bcdc7565257fd61ba4 


MD5: 294edcdaab9ce21cb453dc40642fl561 



MD5: b414d9f54a723e8599593503fe0de4fl 


MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0 

MD5: el059ae3fb9c62cf3272eb6449de23cf 

This post has been reproduced from [lOJDancho 
Danchev's blog . Follow him [ll]on Twitter. 

1. http://ddanchev.blo as pot.com/2013/07/a-peek-inside- 
mana a ed-otpatstan-token.html 

2. http://www.webroot.com/blo a /ta a /ransomware/ 

3. https://www. a oo a le.com/webh p? 

tab=ww&ei = #q=site:ddanchev.blo as pot.com+ransomware 

4. https://www. a oo a le.com/webh p? 

tab=ww&ei = #q=site:webroot.com%2Fblo a + cr v ptin a 

5. https://www. a oo a le.com/webh p? 

tab=ww&ei = #a=site:ddanchev.blo as pot.com+blackhat+seo 

6. https://www. a oo a le.com/webh p? 

tab=ww&ei = #a=site:ddanchev.blo as pot.com+ftp +accounts 

7. https://www. a oo a le.com/webh p? 

tab=ww&ei = #a=site;ddanchev.blQ as pot.com+sal + in j ection 

8 . 

https://www.virustotal.com/en/file/4ca375c6db3d32dde7b98 

Ib0981079d8el3bdl21a81c835d58d02a046d98277f/anal v 

s 

is/ 

9. http://www.svmantec.com/securitv_response/writeu p.isp? 
docid = 2013-101610-5035-99&tabid = 2 














































10. http://ddanchev.blo as pot.com/ 

11. http://twitter.com/danchodanchev 
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New Commercially Available Modular Malware 
Platform Released On the Underground Marketplace 

(2013-11-13 00:15) 

Cybercriminals have recently released a new (v3 to be more 
precise indicating possible beneath the radar operation 

until now), commercially available, modular malware 
platform, including such cybercrime-friendly features like 

DNS Changer, Loaders, [l]lnjects, and [2]Ransomware 
features - completely blocking the Internet access of [3]the 
affected user in this particular case - with several 
upcoming modules such as stealth VNC, and Remote IE (a 
feature 

which would allow them to completely hijack any sort of 
encrypted session taking place on the affected host, 

naturally including the cookies). 

Sample screenshots of the command and control 
interface+DNS Changer in action: 
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With prices for the standard package starting from $1,500, I 
expect that the malware bot will quickly gain market 





share thanks to its compatibility with existing/working 
crimeware concepts/releases, as well as thanks to the general 

availability of 24/7/365 [4]managed malware crypting 
services, applying the necessary degree of QA (Quality 

Assurance) to a potential campaign before launching it. 
Moreover, yet another factor that would greatly contribute 

to the success of such type of newly released platforms is the 
the ease of acquisition of legitimate traffic - think 

[5]blackhat SEO, [6]compromised FTP accounts, or 
[7]mass SQL injection campaigns - to be later on 
converted into malware-infected hosts, most commonly 
through social engineering, or the client-side exploitation of 
outdated and 

already patched vulnerabilities in browser plugins/third-party 
applications. 

Furthermore, with or without the full scale modularity in 
place - some of the modules are currently in the 

works, as well as the lack of built-in renting/reselling/traffic 
acquisition/affiliate network type of monetization 

elements, typical for what can be best described as platform 
type of underground market release compared to a 

standalone modular malware bot, the bot's worth keeping an 
eye on. 

The DNS Changer IP seen in the screenshot 62.76.176.214 ( 
62-76-176-214.clodo.ru), can also be connected to 

related malicious activity. For instance, [8]MD5: 
cef012fb4fa7cd55f04558ecee04cd4e is known to have 



previously 

phoned back to 62.76.176.214, 


And most interestingly, [9]according to this assessment, 

next to phoning back to 62.76.176.214, the following 

malicious domains are also known to have been used as C 
&Cs by the same sample: 

6r3u8874dfd9.com - known to have responded to 
31.170.179.179 

r55u87799hd39.com - known to have responded to 
31.170.179.179 

r95u8114dfd9.com 

The following malicious MD5s are also known to have 
phoned back to the same C &C IP (31.170.179.179) 

since the beginning of the month: 

MD5: 56f05611ec91f010d015536b7e9fela5 
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MD5: 49aeaa9fad5649d20a9c56e611e81d96 
MD5: bf4fal38741ec4af0a0734b28142f7ae 
MD5: Cd92df2172a40ebb507fa701dcbl4fea 
MD5:Id51cdelab7ald3d725e507089d3ba5e 
MD5: a00695df0a50b3d3ffeb3454534d97a8 
MD5:ea8340c95589ca522dacle04839a9ab9 



MD5: f2933ca59e8453a2b50f6d38a9ad9709 


MD5: dd9c4ba82de8dcf0f3e440b302e223e8 

MD5: d92ad37168605579319c3dff4d6e8c26 

MD5: 004bf3f6b7f49d5c650642dde3255bl6 

MD5: deb8bcd6c7987ee4e0a95273e76feccd 

MD5: 1791cb3e3da28aecll416978f415dcd3 

MD5: 7eae6322c9dcaa0fl2a99f2c52b70224 

MD5: 0027511d25a820bcdc7565257fd61ba4 

MD5: 294edcdaab9ce21cb453dc40642fl561 

MD5: b414d9f54a723e8599593503fe0de4fl 

MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0 

MD5: el059ae3fb9c62cf3272eb6449de23cf 

Updates will be posted as soon as new developments take 
place. 

1. http://ddanchev.blo as pot.com/2013/Q7/a-peek-inside- 
mana a ed-otpatstan-token.html 

2. http://www.webroot.com/blo a /ta a /ransomware/ 

3. https://www. a oo a le.com/webh p? 

tab=ww&ei = #a=site:ddanchev.blo as pot.com+ransomware 

4. https://www. a oo a le.com/webh p? 

tab=ww&ei = #a=site:webroot.com%2Fblo a + cr v ptin a 





















5. https://www. a oo a le.com/webh D? 

tab=ww&ei = #a=site:ddanchev.blo as oot.com+blackhat+seo 

6. https://www. a oo a le.com/webh o? 

tab=ww&ei = #q=site:ddanchev.blo as pot.com+ftp+accounts 

7. https://www. a oo a le.com/webh o? 

tab=ww&ei = #q=site:ddanchev.blo as pot.com+sql +in j ection 

8 . 

https://www.virustotal.com/en/file/4ca375c6db3d32dde7b98 

Ib0981079d8el3bdl21a81c835d58d02a046d98277f/anal v 

s 

Is L 

9. http://www.svmantec.com/securitv response/writeu p, iso? 
docid = 2013-101610-5035-99&tabid = 2 
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Fake Chrome/Firefox/Internet Explorer/Safari Updates 
Expose Users to Android Malware (2013-11-14 16:38) 

A currently ongoing [l]malicious campaign using 
compromised sites as the primary traffic acquisition 
tactic, is 

attempting to socially engineer users (English and Russian 
speaking) into thinking that they're using an outdated 

version of their browser, and need to apply a bogus 
(security/antivirus) update. In reality though, the update is a 

variant of TrojamAndroid/Fakeinst.EQ/Android.SmsSend. 


























Sample screenshots of the fake browser update 
landing pages: 
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Social 

engineering 

redirection 

chain: 

hxxp://france-leasebacks. com/includes/domit/l.php 
-> 

hxxp://advertcliks. net/ir/28/1405/56e9cal335c2773445a 79d 
5ddf75a 755/tl 

(93.115.82.239; 

Email: 

maxax- 

aha@gmaii.com) -> hxxp://newupdateroniine.org 
(109.163.230.182; Email: vbistrih@yandex.com). 

Known to have responded to 109.163.230.182 are 
also the following domains: 


Imc8.asia 


anglecultivatep.in 

appallinglyndiscoveries.in 

bilious-6biros.in 
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boathire.pw 

cvwv87.pro 

dlsdcncnewl.pw 

efuv77.pro 

familye-perspex.in 

farting-meagre.in 

flvupdate.in 

fringeclamberedk.in 

hopefully-great8.in 

investment-growsa.asia 

money-tree.pw 

moon-media.pw 

moontree.pw 

mountainlake.pw 

movingv-relation.in 



new-updateronline.org 

Sample Android samples pushed by the campaign: 

[2] MD5: 

da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 
out of 46 antivirus scanners as An¬ 
droid. SmsSend.809.origin; Android.Trojan.Fakelnst.HE 

[3] MD5: Ielf57f6c8c9fb39da8965275548174f - 

detected by 17 out of 46 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[4] MD5: b0f597636859b7f5b2cl574d7a8bbbbb - 

detected by 13 out of 47 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[5] MD5: b40aebc327elbc6aabe5ccb4fl8e8ea4 - 

detected by 16 out of 48 antivirus scanners as 
Android:Fakelns-AF; 

Trojan: And roi d/Fakeinst.EQ 

All samples phone back to dlsdcncnew.net 
(109.163.230.182; Email: constantin.zawyalov@yandex.ru). 


Re¬ 
sponding to the same IP is also newapk-flv.org. 

The same email is also known to have been 
previously used to register the following domains: 


downloader8days.in 



open-filedownload4.in (known to have responded to 
188.95.159.30) 

upweight.in 

bestnewbrowsers.in 

bestowedcomedyb.org (known to have responded to 
109.163.230.180) 

expandload.in 

2012internet-load.in 

4interfilefolder.in 

99030.in 

admitted-6crept.org 

rufileserver.in 

It appears that the traffic is not segmented - to [6]affect 
mobile device users only - at any point of the redi¬ 
rection chain, an indication of what I believe is a boutique 
cybercrime-friendly operation. In comparison, the 

relatively more sophisticated ones would segment the traffic, 
usually acquired through the [7]active exploitation of 

tens of thousands of legitimate Web sites, or the direct 
purchase of segmented mobile traffic. 

Interestingly, both novice players in this market segment, 
and the experienced ones, are implementing basic 



evasive tactics, such as, for instance, the need to provide a 
valid mobile number, where a potential victim will receive 
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a confirmation code for accessing the inventory of rogue 
games and applications, thereby preventing automatic 
acquisition of the apps for further analysis. Moreover, 
providing a valid mobile number to the cybercriminals 
behind 

the campaign, is naturally prone to be abused in ways largely 
based on the preferences of those who obtained them 

through such a way, therefore users are advised not to treat 
their mobile number in a privacy conscious way. 

This post has been reproduced from [8]Dane ho 
Danchev's blog . Follow him [9]on Twitter. 

1. http://ddanchev.blo as DOt.com/2Q13/Q9/ro a ueHframe- 
ini ected-web-sites-lead-to.html 

2 . 

https://www.virustotal.com/en/file/2ef49d2ba03c8d9420e00 

8edb8d04fb3abad2fd41684e65d0d47ef5fc4d2787a/anal vs 

is L 

3. 

https://www.virustotal.com/en/file/65bb64a9e651ea785d2ba 

92c2ab8bd02f6353ae472bf2bc5f917b79bfdf67a 10/anal vs 

Is L 

4. 

https://www.virustotal.com/en/file/7e7528e5alf2328c8e516 

7ad51c4cda8791f5b213cd85a436bdd83681b8ad7f6/anal vs 












5. 

https://www.vi rustotal.com/en/file/52dfd24ce2af44c37f5cb8c 

d7ed37bc0c62bff5148293b891cc5ef558fdc5369/anal vs 

is L 

6. http://www.webroot.com/blo a /2Q13/01/22/android- 
malware-spreads-throu a h-compromised-le a iti mate-web-sites/ 

7. http://ddanchev.blo as pot.com/2013/Q9/ro a ue-iframe- 
ini ected-web-sites-lead-to.html 

8. http://ddanchev.blo as oot.com/ 

9. http://twitter.com/danchodanchev 
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Fake Chrome/Firefox/Internet Explorer/Safari Updates 
Expose Users to Android Malware (2013-11-14 16:38) 

A currently ongoing [l]malicious campaign using 
compromised sites as the primary traffic acquisition 
tactic, is 

attempting to socially engineer users (English and Russian 
speaking) into thinking that they're using an outdated 

version of their browser, and need to apply a bogus 
(security/antivirus) update. In reality though, the update is a 

variant of TrojamAndroid/Fakeinst.EQ/Android.SmsSend. 

Sample screenshots of the fake browser update 
landing pages: 
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Social 

engineering 

redirection 

chain: 

hxxp://france-leasebacks. com/includes/domit/l.php 
-> 

hxxp://advertcliks. net/ir/28/1405/56e9cal335c2773445a 79d 
5ddf75a 755/tl 

(93.115.82.239; 

Email: 

maxax- 

aha@gmaii.com) -> hxxp://newupdateronline.org 
(109.163.230.182; Email: vbistrih@yandex.com). 

Known to have responded to 109.163.230.182 are 
also the following domains: 

lmc8.asia 

anglecultivatep.in 


appall i ng ly nd iscoveries. i n 

bilious-6biros.in 
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boathire.pw 

cvwv87.pro 

dlsdcncnewl.pw 

efuv77.pro 

familye-perspex.in 

farting-meagre.in 

flvupdate.in 

fringeclamberedk.in 

hopefully-great8.in 

investment-growsa.asia 

money-tree.pw 

moon-media.pw 

moontree.pw 

mountainlake.pw 

movingv-relation.in 

new-updateronline.org 

Sample Android samples pushed by the campaign: 



[2]MD5: 


da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 
out of 46 antivirus scanners as An¬ 
droid.SmsSend.809.origin; And roi d.Trojan. Fakelnst. HE 

[3] MD5: Ielf57f6c8c9fb39da8965275548174f - 

detected by 17 out of 46 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[4] MD5: b0f597636859b7f5b2cl574d7a8bbbbb - 

detected by 13 out of 47 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[5] MD5: b40aebc327elbc6aabe5ccb4fl8e8ea4 - 

detected by 16 out of 48 antivirus scanners as 
Android:Fakelns-AF; 

Trojan: And roi d/Fakeinst.EQ 

All samples phone back to dlsdcncnew.net 
(109.163.230.182; Email: constantin.zawyalov@yandex.ru). 


Re¬ 
sponding to the same IP is also newapk-flv.org. 

The same email is also known to have been 
previously used to register the following domains: 

downloader8days.in 

open-filedownload4.in (known to have responded to 
188.95.159.30) 



upweight.in 
bestnewbrowsers.in 


bestowedcomedyb.org (known to have responded to 
109.163.230.180) 

expandload.in 

2012internet-load.in 

4interfilefolder.in 

99030.in 

admitted-6crept.org 

rufileserver.in 

It appears that the traffic is not segmented - to [6]affect 
mobile device users only - at any point of the redi¬ 
rection chain, an indication of what I believe is a boutique 
cybercrime-friendly operation. In comparison, the 

relatively more sophisticated ones would segment the traffic, 
usually acquired through the [7]active exploitation of 

tens of thousands of legitimate Web sites, or the direct 
purchase of segmented mobile traffic. 

Interestingly, both novice players in this market segment, 
and the experienced ones, are implementing basic 

evasive tactics, such as, for instance, the need to provide a 
valid mobile number, where a potential victim will receive 
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a confirmation code for accessing the inventory of rogue 
games and applications, thereby preventing automatic 
acquisition of the apps for further analysis. 

Moreover, providing a valid mobile number to the 
cybercriminals behind the campaign, is naturally prone to 

be abused in ways largely based on the preferences of those 
who obtained them through such a way, therefore users 

are advised not to treat their mobile number in a privacy 
conscious way. 

Updates will be posted as soon as new developments take 
place. 

1. http://ddanchev.blo as pot.com/2Q13/Q9/ro a ueHframe- 
inj ected-web-sites-lead-to.html 

2 . 

https://www.virustotal.com/en/file/2ef49d2ba03c8d942Qe00 

8edb8d04fb3abad2fd41684e65d0d47ef5fc4d2787a/anal vs 

is/ 

3. 

https://www.virustotal.com/en/file/65bb64a9e651ea785d2ba 

92c2ab8bd02f6353ae472bf2bc5f917b79bfdf67a 10/anal vs 

is L 

4. 

https://www.virustotal.com/en/file/7e7528e5alf2328c8e516 

7ad51c4cda8791f5b213cd85a436bdd83681b8ad7f6/anal vs 












5. 

https://www.vi rustotal.com/en/file/52dfd24ce2af44c37f5cb8c 

d7ed37bc0c62bff5148293b891cc5ef558fdc5369/anal vs 

is/ 

6. http://www.webroot.com/blo a /2Q13/01/22/android- 
malware-spreads-throu a h-compromised-le a iti mate-web-sites/ 

7. http://ddanchev.blo as pot.com/2013/Q9/ro a ue-iframe- 
ini ected-web-sites-lead-to.html 
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Summarizing Webroot's Threat Blog Posts for 
November (2013-12-03 23:38) 

The following is a brief summary of all of my posts at 
[ljWebroot's Threat Blog for November, 2013. You can 

subscribe to [2]Webroot f s Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]Google-dorks based mass Web site hacking/SQL 
injecting tool helps facilitate malicious online activity 

02. [4]Deceptive ads lead to the SpyAlertApp PUA 
(Potentially Unwanted Application) 















03. 


[5]Cybercriminals differentiate their 'access to compromised 
PCs' service proposition, emphasize on the 

prevalence of 'female bot slaves' 

04. [6]New vendor of 'professional DDoS for hire service' 
spotted in the wild 

05. [7]Source code for proprietary spam bot offered for sale, 
acts as force multiplier for cybercrime-friendly activity 06. 
[8]Low Quality Assurance (QA) iframe campaign linked to 
May's Indian government Web site compromise spotted 

in the wild 

07. [9]Popular French torrent portal tricks users into 
installing the BubbleDock/Downware/DownloadWare PUA 

(Potentially Unwanted Application) 
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08. [10]Web site of Brazilian 'Prefeitura Municipal de 
Jaqueira' compromised, leads to fake Adobe Flash player 09. 

[11] Malicious multi-hop iframe campaign affects thousands 
of Web sites, leads to a cocktail of client-side exploits 10. 

[12] Vendor of TDoS products/services releases new multi¬ 
threaded SIP-based TDoS tool 

11. [13]Cybercriminals spamvertise tens of thousands of 
fake 'Sent from my iPhone' themed emails, expose users to 

malware 

12. [14]Fake 'Annual Form (STD-261) - Authorization to Use 
Privately Owned Vehicle on State Business' themed 



emails lead to malware 


13. [15]'Newly released proxy-supporting Origin brute¬ 
forcing tools targets users with weak passwords' 

14. [16]Fake WhatsApp 'Voice Message Notification' themed 
emails expose users to malware 

15. [17]Cybercriminals impersonate HSBC through fake 
'payment e-Advice' themed emails, expose users to malware 

16. [18]Fake 'MMS Gallery' notifications impersonate T- 
Mobile U.K, expose users to malware 

17. [19]Fake 'October's Billing Address Code' (BAC) form 
themed spam campaign leads to malware 

This post has been reproduced from [20]Dancho 
Danchev's blog . Follow him [21]on Twitter. 

1. http://www.webroot.com/blo a 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://www.webroot.com/blo a /2Q13/ll/01/peek-inside- 
a oo a ie-dorks-based-mass-sal-in i ectin a -tool/ 

4. http://www.webroot.com/blo a /2Q13/ll/01/deceptive-ads- 
lead-s p valerta pp- pua-potentiallv-unwanted-a p plicatio 

n L 

5. http://www.webroot.com/blo a /2013/ll/Q4/cvbercriminals- 
differentiate-access-compromised-pcs-service-propos 


ition-emphasize-prevalence-female-bot-slaves/ 






























6. http://www.webroot.com/blo a /2013/ll/05/new-vendor- 
orofessional-ddos-hire-service-sootted-wild/ 

7. http://www.webroot.com/blo a /2013/ll/Q7/source-code- 
proprietar v-s pam-bot-offered-sale-acts-force-multiplie 

r-cvbercrime-friendlv-activit v/ 

8. http://www.webroot.com/blo a /2013/ll/Q8/low-aualit v- 
assurance-qa-iframe-campai a n-linked-mavs-india- a overnm 

ent-web-site-compromise-spotted-wild/ 

9. http://www.webroot.com/blo a /2013/ll/ll/ po pular-french- 
torrent-oortal-tricks-users-into/ 

10. http://www.webroot.com/blo a /2013/ll/12/web-site- 
brazilian-orefeitura-municipal-de- iaa ueira-comoromised-le 

ads-fake-adobe-fiash-ola ver/ 

11. http://www.webroot.com/blo a /2013/ll/13/malicious- 
multi-hoo-iframe-camoai a n-affects-thousands-of-web-sites 

-leads-to-cve-2011-3402/ 

12. http://www.webroot.com/blo a /2013/ll/15/vendor-tdos- 
oroductsservices-releases-new-multi-threaded-sio-based 

-tdos-tool/ 

13. 

http://www.webroot.com/blo a /2013/ll/19/cvbercriminals- 

s oamvertise-tens-thousands-fake-sent-iphone-themed- 


emails-exoose-users-malware/ 























































14. http://www.webroot.com/blo a /2013/ll/20/fake-annual- 
form-std-261-authorization-use-privatelv-owned-vehicie 

-state-busi ness-themed-emails-lead-mal ware/ 

15. http://www.webroot.com/blo a /2013/ll/21/newl v- 
released-proxv-su p portin a -ori a in-brute-forcin a -tools-tar a ets 

-users-weak-oasswords/ 

16. http://www.webroot.com/blo a /2013/ll/22/fake- 
whatsa p p-voice-messa a e-notification-themed-emails-expose- 
user 

s-malware/ 

17. 

http://www.webroot.com/blo a /2013/ll/25/cvbercriminals- 
imoersonate-hsbc-fake- oa vment-e-ad vice-themed-emai l 

s-exoose-users-malware/ 

18. http://www.webroot.com/blo a /2013/ll/26/fake-mms- 
a allerv-notifications-imoersonate-t-mobile-u-k-expose-use 

rs-malware/ 

19. http://www.webroot.com/blo a /2013/ll/27/fake-octobers- 
billin a -address-code-bac-form-themed-spam-campai an-l 

eads-malware/ 

20. http://ddanchev.blo as pot.com/ 

21. http://twitter.com/danchodanchev 
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Facebook Circulating 'Who's Viewed Your Profile' 
Campaign Exposes 800k+ Users to CrossRider 

PUA/Rogue Firefox Add-ons/Android Adware AirPush 
(2013-12-04 02:25) 

A massive privacy-violating, Facebook circulating "Who's 
Viewed Your Profile" campaign, has been operating beneath 
the radar, exposing over 800,000 users internationally, to a 
cocktail of [l]PUAs (Potentially Unwanted 
Applications), rogue Firefox Add-ons impersonating Adobe's 
Flash Player, as well as the Android based adware AirPush. 

Relying on a proven social engineering tactic of "offering 
what's not being offered in general", next to hosting 

the rogue files on legitimate service providers - Google Docs 
and Dropbox in this particular case - the campaign is a 

great example that the ubiquitous for the social network 
social engineering scheme, continues to trick gullible and 

uninformed users into installing privacy-violating 
applications on their hosts/mobile devices. 

Let's dissect the campaign, expose its infrastructure, 
(conservatively) assess the damage, and provide fresh 

MD5s for the currently served privacy-violating PUAs, Firefox 
add-ons, and Android adware. 

Primary spamvertised Facebook URL: FCOSYUC.tk/? 
15796422 

Redirection 


chain: 



p2r0f3rviewer9890. co. nf 
-> 

bit. ly/1 bZCeNv?vsdvc 
-> 

whOprof. uni. me/Tsdvsjka 
-> 

whO prof. uni. me/ch/ 

Rogue 

Google 

Store 

Extension 

URL 

(currently 

offline): 

hxxps://chrome. google, com/webstore/detai- 
l/dllaajjfgpigkeblmlbamfiggfjk gbej 

Campaign's GA Account ID: UA-12798017-1 
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Domain name reconnaissance: 


whOprof.uni.me - 192.157.201.42 

Known to have responded to the same IP are also the 
following domains: 

cracks4free. info 

pr0lotra.p9.org 

Google Docs Hosted PUA URLs: 

hxxps://docs.google. com/uc?authuser=0 &id=0Bzi Fi¬ 
nn KCuQwq VFIjUDBn TjFHdVE &export=do wnload 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqRXBML WZ4c VZJ V2s &export= do wnload 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqUjllLWc4MVFRQUk &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqOXlyNkoOVFBOdnM &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqZm5yeUFudFhqcHJ &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqbWpfNW5FalJmRGM &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqS3VlZkZBQjJGbjQ &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqX2xXbEJLbEY0Q3M &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mK.CuQwqMU5RVkJ5WURxME0 &export=download 



hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mKCuQwq VFIjUDBn TjFHdVE &export=do wnload 

Dropbox Firefox Add-on/Android APK Hosted URLs: 

hxxps://dl. dropboxusercontent. com/s/so3vm50w298qkto/Wh 
oViewsYourProfil e.apk 

hxxps://dl. dropboxusercontent. com/s/kor9c2mqv49esva/kkad 
obe-ff.xpi 
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Detection rate for the served PUAs, the Android 
adware and the rogue Firefox Add-on: 

[2] MD5: 

C7fcf7078597ea752b8d54e406c266a7 detected by 5 
out of 48 antivirus scanners as 

PUP.Optional.CrossRider 

[3] MD5: 30cf98d7dc97cae57f8d72487966d20b 

detected by 6 out of 48 antivirus scanners as 
Trojan.Dropper.FB 

[4] MD5: 

f2459b6bdeld662399a3df725bf8891b - detected by 13 
out of 48 antivirus scanners as Ad- 

ware/AirPush!Android; Android Airpush; 
Adware/ANDR.Airpush.G.Gen 


[5]MD5: 


3fb95eled77dlb545cf7385b4521b9ae - detected by 18 
out of 48 antivirus scanners as 

JS/TrojanClicker.Agent.NDL 

Once executed MD5: 

30cf98d7dc97cae57f8d72487966d20b phones back to 
195.167.11.4. 

Time to (conservatively) assess the campaign's damage over 
the year(s): 
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The click-through rate should be considered conservative, 
and it remains unknown whether the URL shortening 

service was used by the cybercriminal(s) since day one of the 
campaign. 
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The campaign remains active, and is just the tip of the 
iceberg in terms of similar campaigns tricking Facebook's 

users into thinking that they can eventually see who's 
viewed their profile. Facebook users who stumble across such 


campaigns on their own, or their friends' Walls, are advised 

[6]to consider reporting the campaign back to 
Facebook, 

immediately. 

This post has been reproduced from [7]Dancho 
Danchev's blog . Follow him [8Jon Twitter. 

1. http://www.webroot.com/blo a /ta a/ pua/ 

2 . 

https://www.virustotal.com/en/file/ecd6bb6e53477496ea45d 

e362012b4bld458ee966867eb89ea4005c5bd9fe8b3/anal vs 

is/1385988722/ 

3. 

https://www.virustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89c0a7814103369d3f48d54d29ffcc7/anal vs 

is/1385988808/ 

4. 

https://www.virustotal.com/en/file/72f3834e9c8eel64b7e82 

383415da822579ffb23fbfa7f55ac650a22b2386ee0/anal vs 

is/1386108420/ 
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5. 

https://www.virustotal.com/en/file/3b25b67592b9b06fca05a 

b61abdl6559e7c94f9ac3c225e5ae00ddc5318923c6/anal vs 

is/1386109278/ 

6. https://www.facebook.com/help/www/117257561692875 


















7. http://ddanchev.blo as pot.com/ 

8. http://twitter.com/danchodanchev 
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Facebook Circulating 'Who's Viewed Your Profile' 
Campaign Exposes 800k+ Users to CrossRider 

PUA/Rogue Firefox Add-ons/Android Adware AirPush 
(2013-12-04 02:25) 

A massive privacy-violating, Facebook circulating "Who's 
Viewed Your Profile" campaign, has been operating beneath 
the radar, exposing over 800,000 users internationally, to a 
cocktail of [l]PUAs (Potentially Unwanted 
Applications), rogue Firefox Add-ons impersonating Adobe' 
Flash Player, as well as the Android based adware AirPush. 

Relying on a proven social engineering tactic of "offering 
what's not being offered in general", next to hosting 

the rogue files on legitimate service providers - Google Docs 
and Dropbox in this particular case - the campaign is a 

great example that the ubiquitous for the social network 
social engineering scheme, continues to trick gullible and 

uninformed users into installing privacy-violating 
applications on their hosts/mobile devices. 

Let's dissect the campaign, expose its infrastructure, 
(conservatively) assess the damage, and provide fresh 

MD5s for the currently served privacy-violating PUAs, Firefox 
add-ons, and Android adware. 





Primary spamvertised Facebook URL: FCOSYUC.tk/? 
15796422 

Redirection 

chain: 

p2r0f3rviewer9890. co. nf 
-> 

bit. ly/1 bZCeNv?vsdvc 
-> 

whOprof. uni. me/?sdvsjka 
-> 

whOprof. uni. me/ch/ 

Rogue 

Google 

Store 

Extension 

URL 

(currently 

offline): 

hxxps://chrome. google, com/webstore/detai- 
l/dllaajjfgpigkeblmlbamflggfjk gbej 



Campaign's GA Account ID: UA-12798017-1 
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Domain name reconnaissance: 

whOprof.uni.me - 192.157.201.42 

Known to have responded to the same IP are also the 
following domains: 

cracks4free. info 

pr0lotra.p9.org 

Google Docs Hosted PUA URLs: 

hxxps://docs.google. com/uc?authuser=0 &id=0Bziki¬ 
rn KCuQwq VFIjUDBn TjFHdVE &export=do wnload 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqRXBMLWZ4cVZJV2s Siexport=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziFi¬ 
nn KCuQwqUjIILWc4MVFRQUk &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqOXlyNkoOVFBOdnM &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqZm5yeUFudFhqclU &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqbWpfNW5FalJmRGM &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=0Bzihl- 
mKCuQwqS3VlZkZBQjJGbjQ &export=download 


hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mKCuQwqX2xXbEJLbEY0Q3M &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mK.CuQwqMU5RVkJSWURxME0 &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mKCuQwq VFIjUDBn TjFHdVE &export=do wnload 

Dropbox Firefox Add-on/Android APK Hosted URLs: 

hxxps://dl. dropboxusercontent. com/s/so3vm50w298qkto/Wh 
oViewsYourProfil e.apk 

hxxps://dl. dropboxuserconten t. com/s/kor9c2m q v4 9es va/kka d 
obe-ff.xpi 
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Detection rate for the served PUAs, the Android 
adware and the rogue Firefox Add-on: 

[2] MD5: 

C7fcf7078597ea752b8d54e406c266a7 detected by 5 
out of 48 antivirus scanners as 

PUP.Optional.CrossRider 

[3] MD5: 30cf98d7dc97cae57f8d72487966d20b 

detected by 6 out of 48 antivirus scanners as 
Trojan. Dropper.FB 

[4] MD5: 

f2459b6bdeld662399a3df725bf8891b - detected by 13 
out of 48 antivirus scanners as Ad- 


ware/AirPush! An droid; Android Airpush; 
Adware/ANDR.Airpush.G.Gen 

[5]MD5: 

3fb95eled77dlb545cf7385b4521b9ae - detected by 18 
out of 48 antivirus scanners as 

JS/TrojanClicker.Agent.NDL 

Once executed MD5: 

30cf98d7dc97cae57f8d72487966d20b phones back to 
195.167.11.4. 

Time to (conservatively) assess the campaign's damage over 
the year(s): 
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The click-through rate should be considered conservative, 
and it remains unknown whether the URL shortening 

service was used by the cybercriminal(s) since day one of the 
campaign. 
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The campaign remains active, and is just the tip of the 
iceberg in terms of similar campaigns tricking Facebook's 

users into thinking that they can eventually see who's 
viewed their profile. Facebook users who stumble across such 

campaigns on their own, or their friends' Walls, are advised 

[6]to consider reporting the campaign back to 
Facebook, 

immediately. 

1. http://www.webroot.com/blo a /ta a/ pua/ 

2 . 

https://www.virustotal.com/en/file/ecd6bb6e53477496ea45d 

e362012b4bld458ee966867eb89ea4005c5bd9fe8b3/anal vs 

is/1385988722/ 

3. 

https://www.virustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89c0a7814103369d3f48d54d29ffcc7/anal vs 

is/1385988808/ 

4. 

https://www.virustotal.com/en/file/72f3834e9c8eel64b7e82 

383415da822579ffb23fbfa7f55ac650a22b2386ee0/anal vs 

is/1386108420/ 

5. 

https://www.virustotal.com/en/file/3b25b67592b9b06fca05a 

b61abdl6559e7c94f9ac3c225e5ae00ddc5318923c6/anal vs 


1021 
















is/1386109278/ 

6. https://www.facebook.com/help/www/117257561692875 
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Continuing Facebook "Who's Viewed Your Profile" 
Campaign Affects Another 190k+ Users, Exposes Ma¬ 
licious Cybercrime Ecosystem (2013-12-11 05:01) 

Last week, immediately after I published the initial analysis 
detailing [l]a massive privacy-violating "Who's Viewed 
Your Profile" campaign, that was circulating across 
Facebook, the cybercriminals behind it, supposedly took it 

offline, with one of the main redirectors now pointing to 
127.0.0.1. 

Not surprisingly, the primary campaign has multiple sub¬ 
campaigns still in circulation, which based on the lat¬ 
est statistics - embedded within the campaign on the same 
day they supposedly shut it down - has already exposed 

another 190,000+ of the social network's users - the original 
campaign appears to have been launched in 2011 

having already exposed 800,000+ users - to more rogue, 
privacy violating apps - JS.Febipos, Mindspark Interactive 

Network's MylmageConverter and Trojan- 
Ransomer.CLE, in this particular case. 

Let's dissect the still circulating campaign, expose the entire 
infrastructure supporting it, establish direct con- 





nections with it to related malicious campaigns, indicating 
that someone's either multi-tasking, or that their 

malicious/fraudulent activities share the same infrastructure, 
provide MD5s for the currently served privacy-violating 

apps, as well as list the actual - currently live - hosting 
locations. 
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Sample redirection chain: 

hxxpV/NXJXBMQ.tk/?l2358289 - 93.170.52.21; 

93.170.52.33 -> hxxp://p2r0f3rviewer9890.co.nf/?sdk22222- 

222222222222222222222222222222 

2222222222222222222222222222222222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 


222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 2222222ajsklfjasl 

fkjasfklja - > hxxp ://prosta ts.vfl. us - 192.157.201.42 - > 
hxxp://whoviewsfb.uni.me/ch/profile.html - 82.208.40.11 

Redirection chain domain name reconnaissance: 

1024 

NXJXBMQ.tk - 93.170.52.21; 93.170.52.33 
p2r0f3rviewer9890.co.nf - 83.125.22.192 



whoviewsfb.uni.me - 82.208.40.11 


prostats.vfl.us - 192.157.201.42 
whOstalks.uni.me - 192.157.201.42 
cracks4free.info - 192.157.201.42 

Known to have responded to 93.170.52.21 are also 
the following fraudulent domains: 

O.facebook.com.fpama.tk 

00120013318412 312981 l.tk 

OOwwebhost.tk 

01203313441.tk 

01prof86841.tk 

029m821t9fs.4ieiii.tk 

031601.tk 

0333.tk 

0571baidu.tk 

05pr0flle21200.tk 

05 prOfi Ie214741.tk 

060uty80w.tk 

06emu.tk 


0886.tk 



Oakleycityn.tk 

OaoOgrecu.tk 

0fcf7.chantaljltaste.tk 

Olodllmtl.tk 

Olove.tk 

The following malicious MD5s are also known to have 
phoned back to 93.170.52.21 in the past: 

MD5: ee78fe57ad8dbac96b31f41f77eb5877 

MD5: bed006372fc76ec261dc9b223bl78438 

MD5: 58f9cbec80dldc3a5afbb7339d200e66 

MD5: fd0c6b284f7700d59199c55fdcd5bd8a 

MD5: 4bfeb3c882d816d37c3e6cbb749e44af 

MD5: 97ec866ac26e961976e050591f49fec3 

MD5: aba 1720bIa6747de5d5345b5893ba2f5 

MD5: de5elf6fl37ecb903a018976fc04ell0 

MD5: a9669b65cabd6b25a32352ccf6c6c09a 

MD5: 003f4d9dafba9ee6e358b97b8026e354 

MD5: bab313e031b0c54d50fd82d221f7defc 

MD5: e6b766f627b91fd420bd93fab4bc323f 

MD5: d63656d9b051bf762203b0c4ac728231 



MD5: 935440d970ee5a6640418574f4569dab 
MD5: 2524e3b4ed3663f5650563cle431b05c 
MD5: f726646a41f95bl2ec26cf01flc89cf9 
MD5: a5af6c04d28fcea476827437caf4c681 
MD5: C7346327f86298fa5dadl60366a0cf26 
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a 
MD5: b33aaa98ad706ced23d7c64aed0fcad6 
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Known to have responded to 93.170.52.33 are also 
the following fraudulent domains: 

Olwwa.tk 

Omsms.tk 

122.72.0.7sierra-web-www.szjlc-pcb.tk 

lz8dz.tk 

4flwz8.ga 

777898.ga 

888234.ml 

8eld7.tk 

abmomre.tk 

accountupdateinformation.tk 



ahram-org-eg.tk 

alex-fotos.tk 

allycam.tk 

amerdz.ml 

angelsmov.tk 

apis-drives-google.tk 

apis-googledrive.tk 

apple-idss.tk 

appleid.apple.com.eg i-bin.myappleid.woa.apple-idss.tk 
avtoshina.tk 

The following malicious MD5s are also known to have 
phoned back to 93.170.52.33 in the past: 

MD5: 2d951e649a8bbcbfa468f7916el88f9f 

MD5: dbe2c0788e74916eba251194ef783452 

MD5: 4bfeb3c882d816d37c3e6cbb749e44af 

MD5:dc01cldb51e26b585678701a64c94437 

MD5:61cc3de4e9a9865e0d239759ed3c7d5a 

MD5: 64505b7calce3clc0c4892abe8d86321 

MD5: 0b98356395b2463ea0f339572b9c95ef 


MD5: 9e87cl89d3cbf2fc2414934bef6e661b 



MD5: 48964a66bdc81b48f2fe7a31088c041b 

MD5: f81c85bea0e2251655b7112b352f302e 

The following MD5s are also known to have phoned 
back to 83.125.22.192 in the past: 

MD5: 3935b6efa7e5ee995f410f4efle613ab 

MD5: 64cl496elba2b7cb5c54a33c20be3e95 

MD5: 08f76aled5996d7dfdcf8226fe3f66b9 

MD5: f508d8034223c4ce233flbdbed265a3a 

Known to have responded to 82.208.40.11 are the 
following fraudulent domains: 

000e0062fb44cd5b277591349e070277.cz.cc 

003bclbl6c548efbc4f30790e0bcl7be.cz.cc 

005 7ab88a8febe310f94107137731424.cz.cc 

008447a58c242b52cb69fe7dceea9a0b.cz.cc 

00a47e5e57323f23c66f2c2d5bcldebc.cz.cc 

00a9a591dle7aaf65639781bc73199d4.cz.cc 

00ad3353e0ba865a521da380ba4e0cc4.cz.cc 

00d55beb792962f7a04c66b85f2c6082.cz.cc 

00e3b9ece447187da3f43f98ab619a28.cz.cc 
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00eb52dbc4331a64e4fd96fdca890d9c.cz.cc 



00f59cfa33cd097e943a38a8f2e343ee.cz.cc 


00fbdb49398f0e5fd9d5572044d8934e.cz.cc 

010ab81241856dfca44dd9ade4489fbc.cz.cc 

011622fb7752328ebb60bd2c075flfe6.cz.cc 

0Hfbf88cfflcl8e05c2afb53d6e5ffd.cz.cc 

0133147433aeef23bbe60df0cbc4eac9.cz.cc 

013f98b7157ae3754d463e9d2346a549.cz.cc 

013fa3e9db6e476282b8e9flbac6d68e.cz.cc 

017c2bd33744c2d423a2a7598a0c0a4e.cz.cc 

019368blf3b364c0d3ec412 680638f04.cz.cc 

The following malicious MD5s are also known to have 
phoned back to 82.208.40.11 in the past: 

MD5: 2c89dfcl706b31ba7delcl4e229279e5 

MD5: 6719d3e8606d91734cde25b8dfc4156f 

MD5: 61dcea6fbfl5b68be831bff8c5eb0cld 

MD5: 3875fa91f060d02bddd43ff8e0046588 

MD5: 929b72813bae47f78125ec30c58f3165 

MD5: 96fa2ea6db2e4e9f00605032723el777 

MD5: C46968386138739c81e219da6fb3ead5 


MD5: 3d627e0dbc5ac51761fa7cc7b202ec49 



MD5: d9714a0f7f881d3643125aa0461a30be 


MD5: 81171015a95073748994e463142ddcc7 

Known to have responded to 192.157.201.42 are also 
the following fraudulent domains: 

cracks4free.info 

pr0lotra.p9.org 

prostats.vfl.us 

whOprof.uni.me 

cracks4free.info 

Time to provide the actual, currently live, hosting locations 
for the served privacy-violating content. 
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Mindspark Interactive Network's MylmageConverter 
served URL: 

hxxp://down load, my imageconverter.com/index.jhtml? 
partner=^AZ 0^xdm081 

Google Store served URLs: 

hxxps://ch rome.google.com/webstore/detail/miapmjacmjonm 
ofofflhnbafpbmfapac - currently active 

hxxps://ch rome.google.com/webstore/detail/dllaajjfgpigkebl 
mlbamflggfjkgbej 


Dropbox Accounts serving the Android app (offline 
due to heavy usage), and the Firefox extension: 

hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/who 
views5.xpi - currently online 

hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/Wh 
oVi ewsYou rProfi I e. a p k 
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Facebook App URL: 

hxxp://apps.facebook.com/dislike_button/ 

Google Docs served privacy-violating apps: 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFIjUDBnTjFHdVE &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqRXBMLWZ4cVZJV2s &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqOXlyNkoOVFBOdnM &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqZm5yeUFudFhqclU &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqbWpfNW5FalJmRGM &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqS3VlZkZBQjJGbjQ &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqX2xXbEJLbEY0Q3M &export=down load 


hxxps://docs.google.com/uc?authuser=0 &id=OBziH- 
mKCuQwqMU5RVkJSWURxME0 &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFIjUDBnTjFHdVE &export=down load 

GA Account IDs: UA-23441223-3; UA-12798017-1 

MylmageConverter Affiliate Network ID: 

^AZ0^xdm081 

Detection rate for the served apps/extensions: 

[2] MD5: 30cf98d7dc97cae57f8d72487966d20b - 

detected by 19 out of 49 antivirus scanners as Trojan- 
Ransomer.CLE; 

Troj/Mdrop-FNZ 

[3] MD5: 88dd376527cl8639d3f8bf23f77b480e - 

detected by 8 out of 49 antivirus scanners as JS:Febipos-N 
[Trj]; 

JS/Febipos 
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Once executed, MD5: 

30cf98d7dc97cae57f8d72487966d20b also drops MD5: 
106320fc 128242 If 8f6cf5eb0206a bee 

and MD5: 43b20dclb437e0e3af5ae7b9965e0392 on 

the affected hosts. It then phones back to 195.167.11.4: 

Two more MD5s from different malware campaigns, 
are known to have phoned back to 195.167.11.4: 


MD5:8192c574b8e96605438753c49510cd97 


MD5: d55de5e9ec25a80ddfecfb34d417b098 

The Privacy Policy ( hxxp://prostats.vfl.us/firefox/pp.html) 
and the EULA ( hxxp://prostats.vfl.us/firefox/eula.html) point 
to hxxpV/dislikelt.com - 176.74.176.179. Not surprisingly, 
multiple malicious MD5s are also known to have 

previously interacted with the same IP: 

MD5: d366088e4823829798bd59a4d456a3df 
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MD5: 3c73db8202d084f33ab32069f40f58c8 

MD5: d7fcelec777c917f72530f79363fc6d3 

MD5: 83568d744ab226a0642233b93bfc7de6 

MD5: c84blbd7c2063f34900bbc9712d66e0f 

MD5: 58baa919900656dacaf39927bb614cfl 

MD5: a86e97246a98206869be78fd451029a0 

MD5: 70a0894397ac6f65c64693fl606fl231 

MD5: f9166237199133b24cd866b61d0f6cca 

MD5: 0f24ad046790ee863fd03dl9dbba7ea5 

Based on the latest performance metrics for the campaign, 
over 190,000 users have already interacted with this 


sub-campaign, since 4th of December, when I initially 
analyzed the primary campaign. 
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Monitoring of the campaign is naturally in progress. Updates 
will be posted as soon as new developments take place. 

This post has been reproduced from [4]Dancho 
Danchev's blog . Follow him [5Jon Twitter. 

1. http://ddanchev.blo as pot.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 

2 . 

https://www.virustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89c0a7814103369d3f48d54d29ffcc7/anal vs 

is/1386720892/ 

3. 

https://www.virustotal.com/en/file/4106e0e655822060a3dc8 

3777aa88554c4f6e295blf9474400d4820bd8e0d57b/anal vs 

is/1386720902/ 

4. http://ddanchev.blo as pot.com/ 

5. http://twitter.com/danchodanchev 
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Continuing Facebook "Who's Viewed Your Profile" 
Campaign Affects Another 190k+ Users, Exposes Ma- 
















licious Cybercrime Ecosystem (2013-12-11 05:01) 

Last week, immediately after I published the initial analysis 
detailing [l]a massive privacy-violating "Who f s Viewed 
Your Profile" campaign, that was circulating across 
Facebook, the cybercriminals behind it, supposedly took it 

offline, with one of the main redirectors now pointing to 
127.0.0.1. 

Not surprisingly, the primary campaign has multiple sub¬ 
campaigns still in circulation, which based on the lat¬ 
est statistics - embedded within the campaign on the same 
day they supposedly shut it down - has already exposed 

another 190,000+ of the social network's users - the original 
campaign appears to have been launched in 2011 

having already exposed 800,000+ users - to more rogue, 
privacy violating apps - JS.Febipos, Mindspark Interactive 

Network's MylmageConverter and Trojan- 
Ransomer.CLE, in this particular case. 

Let's dissect the still circulating campaign, expose the entire 
infrastructure supporting it, establish direct con¬ 
nections with it to related malicious campaigns, indicating 
that someone's either multi-tasking, or that their 

malicious/fraudulent activities share the same infrastructure, 
provide MD5s for the currently served privacy-violating 

apps, as well as list the actual - currently live - hosting 
locations. 
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Sample redirection chain: 

hxxp://NXJXBMQ.tk/?12358289 - 93.170.52.21; 

93.170.52.33 -> hxxp://p2r0f3rviewer9890.co.nf/?sdk22222- 

222222222222222222222222222222 

2222222222222222222222222222222222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 


222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 2222222ajsklfjasl 

fkjasfklja - > hxxp ://prosta ts.vfl. us - 192.157.201.42 - > 
hxxp://whoviewsfb.uni.me/ch/profile.html - 82.208.40.11 

Redirection chain domain name reconnaissance: 
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NXJXBMQ.tk - 93.170.52.21; 93.170.52.33 
p2r0f3rviewer9890.co.nf - 83.125.22.192 
whoviewsfb.uni.me - 82.208.40.11 
prostats.vfl.us - 192.157.201.42 
whOstalks.uni.me - 192.157.201.42 


cracks4free.info - 192.157.201.42 



Known to have responded to 93.170.52.21 are also 
the following fraudulent domains: 

O.facebook.com.fpama.tk 

00120013318412 31298 ll.tk 

OOwwebhost.tk 

01203313441.tk 

01prof86841.tk 

029m821t9fs.4ieiii.tk 

031601.tk 

0333.tk 

0571baidu.tk 

05pr0flle21200.tk 

05 prOfi Ie214741.tk 

060uty80w.tk 

06emu.tk 

0886.tk 

Oakleycityn.tk 

OaoOgrecu.tk 

0fcf7.chantaljltaste.tk 


Olodllmtl.tk 



Olove.tk 


The following malicious MD5s are also known to have 
phoned back to 93.170.52.21 in the past: 

MD5: ee78fe57ad8dbac96b31f41f77eb5877 

MD5: bed006372fc76ec261dc9b223bl78438 

MD5: 58f9cbec80dldc3a5afbb7339d200e66 

MD5: fd0c6b284f7700d59199c55fdcd5bd8a 

MD5: 4bfeb3c882d816d37c3e6cbb749e44af 

MD5: 97ec866ac26e961976e050591f49fec3 

MD5: aba 1720bIa6747de5d5345b5893ba2f5 

MD5: de5elf6fl37ecb903a018976fc04ell0 

MD5: a9669b65cabd6b25a32352ccf6c6c09a 

MD5: 003f4d9dafba9ee6e358b97b8026e354 

MD5: bab313e031b0c54d50fd82d221f7defc 

MD5: e6b766f627b91fd420bd93fab4bc323f 

MD5: d63656d9b051bf762203b0c4ac728231 

MD5: 935440d970ee5a6640418574f4569dab 

MD5: 2524e3b4ed3663f5650563cle431b05c 

MD5: f726646a41f95bl2ec26cf01flc89cf9 


MD5: a5af6c04d28fcea476827437caf4c681 



MD5: C7346327f86298fa5dadl60366a0cf26 
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a 
MD5: b33aaa98ad706ced23d7c64aed0fcad6 
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Known to have responded to 93.170.52.33 are also 
the following fraudulent domains: 

Olwwa.tk 

Omsms.tk 

122.72.0.7sierra-web-www.szjlc-pcb.tk 

lz8dz.tk 

4flwz8.ga 

777898.ga 

888234.ml 

8eld7.tk 

abmomre.tk 

accountupdateinformation.tk 

ahram-org-eg.tk 

alex-fotos.tk 

allycam.tk 


amerdz.ml 



angelsmov.tk 

apis-drives-google.tk 

apis-googledrive.tk 

apple-idss.tk 

appleid.apple.com.eg i-bin.myappleid.woa.apple-idss.tk 
avtoshina.tk 

The following malicious MD5s are also known to have 
phoned back to 93.170.52.33 in the past: 

MD5: 2d951e649a8bbcbfa468f7916el88f9f 

MD5: dbe2c0788e74916eba251194ef783452 

MD5: 4bfeb3c882d816d37c3e6cbb749e44af 

MD5:dc01cldb51e26b585678701a64c94437 

MD5: 61cc3de4e9a9865e0d239759ed3c7d5a 

MD5: 64505b7calce3clc0c4892abe8d86321 

MD5: 0b98356395b2463ea0f339572b9c95ef 

MD5: 9e87cl89d3cbf2fc2414934bef6e661b 

MD5: 48964a66bdc81b48f2fe7a31088c041b 

MD5: f81c85bea0e2251655b7112b352f302e 

The following MD5s are also known to have phoned 
back to 83.125.22.192 in the past: 

MD5: 3935b6efa7e5ee995f410f4efle613ab 



MD5: 64cl496elba2b7cb5c54a33c20be3e95 

MD5: 08f76aled5996d7dfdcf8226fe3f66b9 

MD5: f508d8034223c4ce233flbdbed265a3a 

Known to have responded to 82.208.40.11 are the 
following fraudulent domains: 

000e0062fb44cd5b277591349e070277.cz.cc 

003bclbl6c548efbc4f30790e0bcl7be.cz.cc 

0057ab88a8febe310f94107137731424.cz.cc 

008447a58c242b52cb69fe7dceea9a0b.cz.cc 

00a47e5e57323f23c66f2c2d5bcldebc.cz.cc 

00a9a591dle7aaf65639781bc73199d4.cz.cc 

00ad3353e0ba865a52 Ida380ba4e0cc4.cz.cc 

00d55beb792962f7a04c66b85f2c6082.cz.cc 

00e3b9ece447187da3f43f98ab619a28.cz.cc 
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00eb52dbc433 Ia64e4fd96fdca890d9c.cz.cc 
00f59cfa33cd097e943a38a8f2e343ee.cz.cc 
00fbdb49398f0e5fd9d 5572044d8934e.cz.cc 
010ab81241856dfca44dd9ade4489fbc.cz.cc 
011622fb7752328ebb60bd2c075flfe6.cz.cc 



0Hfbf88cfflcl8e05c2afb53d6e5ffd.cz.cc 

0133147433aeef23bbe60df0cbc4eac9.cz.cc 

013f98b7157ae3754d463e9d2346a549.cz.cc 

013fa3e9db6e476282b8e9flbac6d68e.cz.cc 

017c2bd33744c2d42 3a2a7598a0c0a4e.cz.cc 

019368blf3b364c0d3ec412 680638f04.cz.cc 

The following malicious MD5s are also known to have 
phoned back to 82.208.40.11 in the past: 

MD5: 2c89dfcl706b31ba7delcl4e229279e5 

MD5: 6719d3e8606d91734cde25b8dfc4156f 

MD5: 61dcea6fbfl5b68be831bff8c5eb0cld 

MD5: 3875fa91f060d02bddd43ff8e0046588 

MD5: 929b72813bae47f78125ec30c58f3165 

MD5: 96fa2ea6db2e4e9f00605032723el777 

MD5: C46968386138739c81e219da6fb3ead5 

MD5: 3d627e0dbc5ac51761fa7cc7b202ec49 

MD5: d9714a0f7f881d3643125aa0461a30be 

MD5: 81171015a95073748994e463142ddcc7 

Known to have responded to 192.157.201.42 are also 
the following fraudulent domains: 


cracks4free.info 



pr0lotra.p9.org 
prostats.vfl.us 
whOprof.uni.me 
cracks4free.info 

Time to provide the actual, currently live, hosting locations 
for the served privacy-violating content. 
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Mindspark Interactive Network's MylmageConverter 
served URL: 

hxxp://down load, my imageconverter.com/index.jhtml? 
partner=^AZ 0^xdm081 

Google Store served URLs: 

hxxps://ch rome.google.com/webstore/detail/miapmjacmjonm 
ofofflhnbafpbmfapac - currently active 

hxxps://ch rome.google.com/webstore/detail/dllaajjfgpigkebl 
mlbamflggfjkgbej 

Dropbox Accounts serving the Android app (offline 
due to heavy usage), and the Firefox extension: 

hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/who 
views5.xpi - currently online 

hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/Wh 

oViewsYourProfile.apk 
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Facebook App URL: 

hxxp://apps.facebook.com/dislike_button/ 

Google Docs served privacy-violating apps: 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFIjUDBnTjFHdVE &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqRXBMLWZ4cVZJV2s &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0Bzihl- 
mKCuQwqOXlyNkoOVFBOdnM &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqZm5yeUFudFhqclU &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqbWpfNW5FalJmRGM &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqS3VlZkZBQjJGbjQ &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqX2xXbEJLbEY0Q3M &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqMU5RVkJSWURxME0 &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqVFIjUDBnTjFFIdVE &export=down load 

GA Account IDs: UA-23441223-3; UA-12798017-1 

MylmageConverter Affiliate Network ID: 

^AZ0^xdm081 


Detection rate for the served apps/extensions: 

[2] MD5: 30cf98d7dc97cae57f8d72487966d20b - 

detected by 19 out of 49 antivirus scanners as Trojan- 
Ransomer.CLE; 

Troj/Mdrop-FNZ 

[3] MD5: 88dd376527cl8639d3f8bf23f77b480e - 

detected by 8 out of 49 antivirus scanners as JS:Febipos-N 
[Trj]; 

JS/Febipos 
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Once executed, MD5: 

30cf98d7dc97cae57f8d72487966d20b also drops MD5: 
106320fc 128242 If 8f6cf5eb0206a bee 

and MD5: 43b20dclb437e0e3af5ae7b9965e0392 on 

the affected hosts. It then phones back to 195.167.11.4: 

Two more MD5s from different malware campaigns, 
are known to have phoned back to 195.167.11.4: 

MD5:8192c574b8e96605438753c49510cd97 

MD5: d55de5e9ec25a80ddfecfb34d417b098 

The Privacy Policy ( hxxp://prostats.vfl.us/firefox/pp.html) 
and the EULA ( hxxpV/prostats.vfl.us/firefox/eula.html) point 
to hxxp://dislikelt.com - 176.74.176.179. Not surprisingly, 
multiple malicious MD5s are also known to have 

previously interacted with the same IP: 


MD5: d366088e4823829798bd59a4d456a3df 
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MD5: 3c73db8202d084f33ab32069f40f58c8 

MD5: d7fcelec777c917f72530f79363fc6d3 

MD5: 83568d744ab226a0642233b93bfc7de6 

MD5: c84blbd7c2063f34900bbc9712d66e0f 

MD5: 58baa919900656dacaf39927bb614cfl 

MD5: a86e97246a98206869be78fd451029a0 

MD5: 70a0894397ac6f65c64693fl606fl231 

MD5: f9166237199133b24cd866b61d0f6cca 

MD5: 0f24ad046790ee863fd03dl9dbba7ea5 

Based on the latest performance metrics for the campaign, 
over 190,000 users have already interacted with this 

sub-campaign, since 4th of December, when I initially 
analyzed the primary campaign. 
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Monitoring of the campaign is naturally in progress. Updates 
will be posted as soon as new developments take place. 


1. http://ddanchev.blo as pot.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 







2 . 

https://www.vi rustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89c0a7814103369d3f48d54d29ffcc7/anal vs 

is/1386720892/ 

3. 

https://www.virustotal.com/en/file/4106e0e655822060a3dc8 

3777aa88554c4f6e295blf9474400d4820bd8e0d57b/anal vs 

is/1386720902/ 
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■ Summarizin g ZDNet's Zero Dav Posts for 
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Analysis ( 2012-09-28 00:25 ) 

■ Dissectin g 'Operation Ababil 1 - an OSINT 
Analysis ( 2012-09-28 00:25 ) 

■ Summarizin g ZDNet's Zero Dav Posts for Au g ust 
( 2012-09-28 01:43 ) 
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■ Summarizin g Web root's Threat Blo a Posts for 
Se ptember (2012-10-01 14:18 ) 

■ Dissectin g 'Operation Ababil 1 - an OSINT 
Analysis - Part Two (2012-10-26 15:36 ) 

■ Dissectin g 'Operation Ababil 1 - an OSINT 
Analysis - Part Two (2012-10-26 15:36 ) 

o November 

■ Summarizin g ZDNet's Zero Dav Posts for 
October ( 2012-11-02 01:47 ) 

■ Summarizin g Webroot's Threat Blo g Posts for 
October ( 2012-11-02 02:34 ) 

■ Mana g ed Embeddin g of Malicious iFrames 
Throu g h Compromised Accounts as a Service 
( 2012-11-24 00:55 ) 

■ Koobface Botnet Master KrotReal Back in 
Business . Distributes Ransomware And Promotes 
BHSEO Service/Product ( 2012-11-26 03:52 ) 

■ Koobface Botnet Master KrotReal Back in 
Business . Distributes Ransomware And Promotes 
BHSEO Service/Product (2012-11-26 03:52 ) 

■ Summarizin g ZDNet's Zero Dav Posts for 
November (2012-11-30 15:55 ) 

o December 

■ Summarizin g Webroot's Threat Blo g Posts for 
November ( 2012-12-01 00:31 ) 

■ U pcomin g Portfolio of Commercially Available 
CYBERINT Reports ( 2012-12-13 13:38 ) 

■ Dancho Danchev's Blo g Most Popular Posts for 
2012 ( 2012-12-28 00:26 ) 

2013 
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■ Historical OSINT: OPSEC-Aware Money Mule 
Recruiters Hire . Host Crimeware and 
Malvertisements ( 2013-01-05 16:10 ) 

■ Historical OSINT - Profilin g an OPSEC-Unaware 
Vendor of GSM/USB ATM Skimmers and Pinoads 
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■ Historical OSINT - Profilin g an OPSEC-Unaware 
Vendor of GSM/USB ATM Skimmers and Pinoads 

( 2013-01-05 20:42 ) 

■ Raw Historical OSINT - Keepin g Money Mule 
Recruiters on a Short Leash - Part Twelve ( 2013- 
01-07 22:56 ) 

■ Raw Historical OSINT - Keepin g Money Mule 
Recruiters on a Short Leash - Part Twelve ( 2013- 
01-07 22:56 ) 

■ Summarizin g Web root's Threat Blo g Posts for 
December ( 2013-01-09 19:34 ) 

Februar y 

■ Summarizin g ZDNet's Zero Dav Posts for l anuar v 
( 2013-02-04 22:38 ) 

■ Summarizin g Web root's Threat Blo g Posts for 
l anuar v ( 2013-02-04 23:14 ) 

■ Historical OSINT - Hacked Databases Offered for 

Sale ( 2013-02-06 02:03 ) 

■ Historical OSINT - Hacked Databases Offered for 

Sale ( 2013-02-06 02:03 ) 

■ Dissectin g NBC's Exploits and Malware Servin g 
Web Site Compromise ( 2013-02-21 22:03 ) 

■ Dissectin g NBC's Exploits and Malware Servin g 
Web Site Compromise ( 2013-02-21 22:03 ) 

March 

■ Summarizin g Web root's Threat Blo g Posts for 
Februar y ( 2013-03-04 15:31 ) 

■ Dissectin g NBC's Late Ni g ht with l immv Fallon 
Web Site Compromise ( 2013-03-07 00:52 ) 

■ Dissectin g NBC's Late Ni g ht with l immv Fallon 
Web Site Compromise ( 2013-03-07 00:52 ) 

April 

■ Summarizin g Webroot's Threat Blo g Posts for 
March ( 2013-04-01 21:37 ) 

















































































■ Historical OSINT-The "BadB International" 

C vbercrime Enterprise ( 2013-04-10 21:53 ). 

■ Historical OSINT -The "BadB International 11 

C vbercrime Enterprise ( 2013-04-10 21:53 ). 

■ What's the ROI on Goin g to a Virtual Blackhat 
SEP School? (2013-04-17 23:45 ) 

■ What's the ROI on Goin g to a Virtual Blackhat 
SEP School? (2013-04-17 23:45 ) 

o Ma v 

■ Summarizin g Web root's Threat Blo a Posts for 
A pril (2013-05-01 14:32 ) 

■ Fake 'Facebook Profile S py Ap plication' 
Campai g n Spreadin g Across Facebook ( 2013-05- 
24 18:58 ) 

■ Fake 'Facebook Profile S py Ap plication' 
Campai g n Spreadin g Across Facebook (2013-05- 
24 18:58 ) 

■ A Peek Inside the Russian Under g round Market 
for Fake Documents/IDs/Passoorts ( 2013-05-25 
18:52 ) 

■ A Peek Inside the Russian Under g round Market 
for Fake Documents/I Ds/Passoorts ( 2013-05-25 
18:52 ) 

o June 

■ Summarizin g Webroot's Threat Blo o Posts for 
Mav ( 2013-06-04 15:24 ) 

■ Malware-Servin g "Who's Viewed Your Facebook 
Profile" Campai g n Spreadin g Across Facebook 
( 2013-06-10 15:07 ) 

■ Malware-Servin g "Who's Viewed Your Facebook 
Profile" Campai g n Spreadin g Across Facebook 
( 2013-06-10 15:07 ) 

■ 'Anonymous' Group's DDoS Poeration Titstorm 
( 2013-06-12 20:01 ) 

■ Bo g us "Shockin g Video" Content at Scribd 
Exposes Malware Monetization Scheme Throu gh 










































































Parked Domains ( 2013-06-20 22:44 ). 

■ Bo g us "Shockin g Video" Content at Scribd 
Exposes Malware Monetization Scheme Throu gh 
Parked Domains ( 2013-06-20 22:44 ) 

■ Fake 'Rihanna & Chris Brown S3X Video 1 Soam 
Campai g n Spreadin g Across Facebook . 
Monetized Throu o h Adf Dot Lv PPC L.inks ( 2013- 
06-22 10:56 ) 

■ Fake 'Rihanna & Chris Brown S3X Video 1 Spam 
Campai g n Spreadin g Across Facebook . 
Monetized Throu o h Adf Dot Lv PPC Links ( 2013- 
06-22 10:56 ) 

July. 

■ Summarizin g Webroot's Threat Blo g Posts for 
l une ( 2013-07-04 18:38 ) 

■ Newly Launched 'Scanned Fake 
Passports/IDs/Credit Cards/Utilitv Bills 1 Service 
Randomizes and Generates Unioue Fakes On 
The Fl v ( 2013-07-04 19:42 ) 

■ Newly Launched 'Scanned Fake 
Passports/IDs/Credit Cards/Utilitv Bills 1 Service 
Randomizes and Generates Unique Fakes On 
The Fl v ( 2013-07-04 19:42 ) 

■ A Peek Inside a Mana g ed OTP/ATS/TAN Token 
Bv passin q /Hi i ackin q /Blockin q S ystem as a 
( Licensed ) Service ( 2013-07-19 22:43 ) 

■ A Peek Inside a Mana g ed OTP/ATS/TAN Token 
Bv passin q /Hi i ackin q /Blockin q S ystem as a 
( Licensed ) Service ( 2013-07-19 22:43 ) 

■ Insta o ram Linder Fire as Cvbercriminals Release 
New DIY Fake Account 

Reg istration/Mana q ement/Promotion Tool ( 2013- 
07-23 17:01 ) 

August 

■ Summarizin g Webroot's Threat Blo g Posts for 
IuIv ( 2013-08-01 19:01 ) 





















































































■ Dissectin g a Sample Russian Business Network 
( RBN ) Contract/A a reement Throu g h the Prism of 
RBN's AbdAllah Franchise ( 2013-08-10 21:10 ) 

■ Dissectin g a Sample Russian Business Network 

.( RBN ) Contract/A g reement Throu g h the Prism of 
RBN's AbdAllah Franchise ( 2013-08-10 21:10 ) 

■ S oamvertised 'Confirmed Facebook Friend 

Reguest' Themed Emails Serve Client-Side 

Ex ploits ( 2013-08-15 14:03 ) 

■ S oamvertised 'Confirmed Facebook Friend 

Reguest' Themed Emails Serve Client-Side 

Ex ploits ( 2013-08-15 14:03 ) 

■ The Cost of Anonymizin g a Cvbercriminal's 
Internet Activities - Part Three ( 2013-08-21 
20:57 ) 

■ Vendor of Scanned Fake IDs . Credit Cards and 
Utility Bills Tar o ets the French Market Se g ment 
( 2013-08-22 18:19 ) 

■ Vendor of Scanned Fake IDs . Credit Cards and 
Utility Bill Is Tar o ets the French Market Se g ment 
( 2013-08-22 18:19 ) 

■ The Cost of Anonymizin g a Cvbercriminal's 
Internet Activities - Part Four ( 2013-08-23 
17:16 ) 

■ C vbercriminals Offer Hi g h Quality Plastic U.S 
Drivin g Licenses/Universitv ID Cards ( 2013-08- 
29 02:26 ) 

■ C vbercriminals Offer Hi g h Quality Plastic U.S 
Drivin g Licenses/Universitv ID Cards ( 2013-08- 
29 02:26 ) 

■ Profilin g a Novel . Hi g h Profit Mar g ins Oriented . 
Le g itimate Companies Brand- l ackin g Mone y 
Mule Recruitment Scheme ( 2013-08-29 22:41 ) 

■ Profilin g a Novel . Hi g h Profit Mar g ins Oriented . 
Le g itimate Companies Brand- l ackin g Mone y 
Mule Recruitment Scheme ( 2013-08-29 22:41 ) 































































































■ Summarizin g Web root's Threat Blo a Posts for 
Aug ust ( 2013-08-30 14:11 ) 

September 

■ Ro g ue iFrame In j ected Web Sites Lead to the 
An droid OS/Fa kelnst/Tro i an-SMS. 1 2ME. I iFake 
Mobile Malware (2013-09-16 14:29 ) 

■ Ro g ue iFrame In j ected Web Sites Lead to the 
AndroidOS/Fakelnst/Tro i an-SMS. 1 2ME. I iFake 
Mobile Malware (2013-09-16 14:29 ) 

■ Dissectin g FireEve's Career Web Site 
Compromise ( 2013-09-18 19:41 ) 

■ Dissectin g FireEve's Career Web Site 
Compromise ( 2013-09-18 19:41 ) 

■ S oamvertised Facebook 'You have friend 
sugg estions , friend reouests and photo ta gs' 
Themed Emails Lead to Client-side Exploits and 
Malware ( 2013-09-28 13:53 ) 

■ S oamvertised Facebook 'You have friend 
sugg estions , friend reouests and photo ta gs' 
Themed Emails Lead to Client-side Exploits and 
Malware ( 2013-09-28 13:53 ) 

October 

■ Fake Pinterest 'Don't for g et to confirm vour 
email! 1 Themed Emails Serve Client-side Exploits 
and Malware ( 2013-10-01 21:12 ) 

■ Fake Pinterest 'Don't for g et to confirm vour 
email! 1 Themed Emails Serve Client-side Exploits 
and Malware ( 2013-10-01 21:12 ) 

■ Summarizin g Web root's Threat Blo g Posts for 
Se ptember (2013-10-02 16:10 ) 

November 

■ Summarizin g Webroot's Threat Blo g Posts for 
October ( 2013-11-01 17:54 ) 

■ Malicious Script Artifacts at China Green Dot 
Gov Dot Cn - A Reminiscence of Asorox's Multi- 
Taskin g Activities ( 2013-11-04 18:33 ) 























































































■ Malicious Script Artifacts at China Green Dot 
Gov Dot Cn - A Reminiscence of Asorox's Multi- 
Taskin g Activities ( 2013-11-04 18:33 ). 

■ Scareware . Blackhat SEP . S oam and Goo ale 
Groups Abuse . Courtesy of the Koobface Gan g 
( 2013-11-04 18:36 ) 

■ Facebook FarmTown Malvertisin a Campai gn 
Courtesy of the Koobface Gan g_( 2013-11-04 
18:36 ) ' 

■ Money Mule Recruiters Trick Mules Into Installin g 
Fake Transaction Certificates ( 2013-11-04 18:37 ) 

■ A Peek Inside a Customer-ized API-enabled DIY 

Online Lab for Generatin g Multi-OS Mobile 
Malware ( 2013-11-12 02:57 ) 

■ A Peek Inside a Customer-ized API-enabled DIY 

Online Lab for Generatin g Multi-OS Mobile 
Malware ( 2013-11-12 02:57 ) 

■ New Commercially Available Modular Malware 
Platform Released On the Under g round 
Marketplace ( 2013-11-13 00:15 ) 

■ New Commercially Available Modular Malware 
Platform Released On the Under g round 
Marketplace ( 2013-11-13 00:15 ) 

■ Fake Chrome/Firefox/Internet Explorer/Safari 
U pdates Expose Users to Android Malware 
( 2013-11-14 16:38 ) 

■ Fake Chrome/Fi refox/Internet Exolorer/Safari 
U pdates Expose Users to Android Malware 
( 2013-11-14 16:38 ) 

December 

■ Summarizin g Webroot's Threat Blo a Posts for 
November (2013-12-03 23:38 ) 

■ Facebook Circulatin g 'Who's Viewed Your Profile 1 
Campai g n Exposes 8Q0k+ Users to CrossRider 
PUA/Ro o ue Firefox Add-ons/Android Adware 
AirPush (2013-12-04 02:25 ) 












































































Facebook Circulatin g 'Who's Viewed Your Profile 1 
Campai g n Exposes 8Q0k+ Users to CrossRider 
PUA/Ro o ue Firefox Add-ons/Android Adware 
AirPush (2013-12-04 02:25 ) 

Continuin g Facebook "Who's Viewed Your 
Profile" Campai g n Affects Another 190k+ Users . 
Exposes Malicious Cvbercrime Ecosystem ( 2013- 
12-11 05:01 ) 

Continuin g Facebook "Who's Viewed Your 
Profile" Campai g n Affects Another 19Qk+ Users . 
Exposes Malicious Cvbercrime Ecosystem ( 2013- 
12-11 05:01 ) 





























